17 May, 2016
Introduction
The Personal Data Protection Commission (“PDPC”) introduced Advisory Guidelines on the enforcement of data protection provisions under the Personal Data Protection Act of Singapore (“PDPA”) on 21 April 2016 (“the Enforcement Guidelines”).
Part I of the Enforcement Guidelines
The Enforcement Guidelines have been issued to provide guidance on the PDPC’s approach to enforcing its powers in relation to data protection provisions under the PDPA, with the explicit intention of achieving two main objectives:
(a) to facilitate the resolution of any complaint relating to any actual or potential contravention of the data protection provisions; and
(b) to ensure that organisations that collect personal data in Singapore comply with the data protection provisions in the PDPA and where non-compliance occurs, appropriate and timely corrective measures and any other necessary action are taken.
On the first objective, for any individual aggrieved by a contravention of the data protection provisions of the PDPA (“
Complainant”), the Enforcement Guidelines set out alternative measures and remedies available to the Complainant to resolve the matter.
On the second objective, for the affected organisations, the Enforcement Guidelines set out the factors and procedures that the PDPC will follow in investigating such complaints. In particular, the PDPC may conduct reviews and investigations of organisations:
- that lack the necessary policies, procedures, and processes;
- which contravene the data protection provisions intentionally or negligently; or
- which cause significant harm to an individual by contravening the data protection provisions.
Part II to VIII of the Enforcement Guidelines
The Enforcement Guidelines also cover the following issues:
- Part II provides a helpful list of alternative measures and remedies that are available to the Complainant to resolve any complaint.
- Part III sets out detailed procedures relating to the review by the PDPC, on the application of the Complainant, of alleged non-compliance with the PDPA by organisations. Where the PDPC receives an application for a review in accordance with the PDPA, the PDPC will first consider whether the matter may be resolved according to Part II of the Enforcement Guidelines. If the matter is so resolved, the PDPC will generally not proceed with the review.
- Part IV sets out the circumstances relating to the commencement of an investigation by the PDPC and its powers of investigation of organisations that are suspected to have contravened the PDPA. Generally, the PDPC may commence an investigation on its own motion or upon receiving a complaint from an individual against an organisation. Before deciding whether to commence an investigation, the PDPC will consider whether the matter may be resolved according to Part II of the Enforcement Guidelines. This Part also sets out a list of factors that the PDPC will generally consider in deciding whether an investigation should be conducted. Affected organisations are also advised to consider the impact on ongoing investigations and consult with the PDPC before they issue any media release or public disclosure of the matter being investigated. In line with the second major objective of these enforcement guidelines,
- Part V sets out detailed information on the PDPC’s powers to issue directions to secure an organisation’s compliance with the data protection provisions. These directions may include directions to impose a financial penalty. A non-exhaustive list of aggravating and mitigating factors that the PDPC may consider in calculating a financial penalty is also provided.
- Part VI provides a list of common issues relating to the publication of any decision and direction by the PDPC. In particular, it sets out the PDPC’s approach in considering whether to publish a decision or direction or a summary thereof. It also reiterates that the PDPC may register a direction in the District Court of Singapore.
- Part VII elaborates on the statutory right of the affected organisation or the Complainant aggrieved by a decision or direction of the PDPC to apply to the PDPC to reconsider its decision or direction, and includes detailed information on the reconsideration procedure.
- Part VIII provides for the right of the Complainant or the affected organisation to appeal against any decision or direction of the PDPC, or appeal against the reconsideration of the decision to the Data Protection Appeal Committee.
An appeal against, or regarding, a decision or direction of the Data Protection Appeal Committee may only be made to the High Court on a point of law or on the amount of a financial penalty. This appeal can be made by the Complainant, the affected organisation or the PDPC. The decision of the High Court may be appealed to the Court of Appeal in accordance with the Rules of Court.
This Part also provides guidance on the rights of private action of any person who suffers loss or damage directly as a result of a contravention of any provision in Part IV, V and VI of the PDPA.
Comment
These Enforcement Guidelines are most welcome by all concerned.
The issuance of the Enforcement Guidelines coincided with the enforcement decisions issued by the PDPC against 11 organisations for various breaches of the PDPA which were released on the same day.
Complainants would appreciate the guidance given by the PDPC on the procedures to resolve a complaint against an organisation for contravention of the provisions of the PDPA. Likewise, affected organisations would value the clear and detailed information on the approach adopted, and factors to be taken into account, by the PDPC when proceeding to enforce the data protection provisions in the PDPA.
rizwi.wun@rhtlawtaylorwessing.com
