21 August, 2016
Singapore businesses that outsource the processing of personal data to other companies should contractually oblige data processors to obtain their "prior written consent" before transferring the data outside of the city state, the country's data protection watchdog has said.
Data processors that receive consent for data transfers should "provide a written undertaking to the customer that the customer personal data transferred outside Singapore will be protected at a standard that is comparable to that under the PDPA", according to the template clause developed by the Personal Data Protection Commission (PDPC).
The PDPA is the Personal Data Protection Act, Singapore's data protection legislation.
The PDPC's template data transfers clause is contained in new guidance (9-page / 502KB PDF) it has issued for businesses operating in Singapore that might be considering outsourcing data processing to third parties.
According to the clause, data processors would be required to obtain written undertakings from sub-contractors that the customer personal data will be protected at a comparable standard to that set out in the PDPA.
In explanatory notes set out alongside the template clause, the PDPC said Singapore businesses should take additional steps to "ascertain and ensure that the overseas recipient of the personal data is bound by legally enforceable obligations" to sufficiently protect personal data when outsourcing its processing.
"Aside from obtaining a written undertaking, the customer may also impose other types of legally enforceable obligations on the contractor (and any third party overseas recipient) to provide to the transferred customer personal data a standard of protection that is at least comparable to that under the PDPA," the PDPC said. "Examples of other types of legally enforceable obligations that can be imposed on the contractor include binding corporate rules or any other legally binding instrument. This clause can be adapted according to the type of legally enforceable obligation that is imposed."
Other recent guidance the PDPC has issued includes advice to SMEs on building websites (12-page / 313KB PDF), how businesses should secure personal data in electronic form (36-page / 876KB PDF), and on the disposal of personal data on physical medium (14-page / 520KB PDF).
The PDPC said that businesses should not take the disposal of personal data "lightly". Where personal data is contained on paper, the PDPC said the documents could be burned, shredded or pulped when that data needs to be disposed.
Businesses that outsource the disposal of personal data should not that they will remain account for the personal data once they hand over the media containing the personal data to a third party, the watchdog said. Outsourcing contracts should provide for disposal of the data in line with the requirements of the PDPA, it said.
The PDPC warned of the risk that paper documents containing personal data might be mixed with papers for recycling and said simply discarding the paper into a "trash bin" would not be compliant with the PDPA.
"Incomplete disposal can lead to data breaches," the PDPC said.
"When in doubt whether the paper document contains personal data, shred the document; and encourage staff to shred paper documents containing personal data regularly to build up a habit," the PDPC said. "Shredded paper can still be sent for recycling, encouraging environmental sustainability."
For further information, please contact:
Mohan Pillay, Partner, Pinsent Masons
mohan.pillay@pinsentmasons.com