Singapore’s Personal Data Protection Act 2012 (PDPA) came into force in 2012. By now, most organisations are familiar with the obligation to obtain the requisite consent when collecting, using and disclosing personal data, the obligation to check the Do Not Call Registry, and the need to implement privacy statements which are typically placed on websites.

However, there is one area where many organisations are still lacking. This is the obligation to develop and implement data protection policies and practices. Recent decisions by the Personal Data Protection Commission (PDPC) highlight the necessity for organisations to ensure that they have developed and implemented suitable policies and practices for the protection of personal data.

Section 12 of the PDPA provides that an organisation has the obligation to:

  1. develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
  2. develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
  3. communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
  4. make information available on request about —
    1. the policies and practices referred to in paragraph (a); and
    2. the complaint process referred to in paragraph (b).

Most organisations would have developed and implemented external / customer facing documentation such as privacy policies to comply with their consent and notification obligations under the PDPA. Often, what may be overlooked is another equally important area – internal-facing policies and practices intended for an organisation’s employees so as to guide them in handling personal data.

Recent decisions by the PDPC

This issue of internal-facing policies and practices were considered in the recent cases of M Star Movers [2017] SGPDPC 15 and Jiwon Hair Salon [2018] SGPDPC 2. These cases involved respectively, a moving company and several hair salons. They had been under investigation PDPC for potential breaches of the PDPA, and in the course of the investigations were asked to demonstrate and present their internal data protection policies and practices to the PDPC.

The organisations in both cases were not large corporations, nor even businesses handling large amounts of personal data. They were, by most measures, modest in size and operation. Understandably, developing and implementing data protection policies for their employees was not a priority. Nevertheless, the PDPC’s expectation was for them to have developed and implemented data protection policies and practices appropriate to their business. As these organisations did not develop and implement such policies and practices, they were eventually found by the PDPC to be in breach of their obligations under Section 12.

In each of these cases, the PDPC stated the following in their grounds of decision:

“At the very basic level, an appropriate data protection policy should be drafted to ensure that it gives a clear understanding within the organisation of its obligations under the PDPA and sets general standards on the handling of personal data which staff are expected to adhere to. To meet these aims, the framers, in developing such policies, have to address their minds to the types of data the organisation handles which may constitute personal data; the manner in, and the purposes for, which it collects, uses and discloses personal data; the parties to, and the circumstances in, which it discloses personal data; and the data protection standards the organisation needs to adopt to meet its obligations under the PDPA.

An overarching data protection policy will ensure a consistent minimum data protection standard across an organisation’s business practices, procedures and activities (e.g. communications through social media).” [emphasis ours]

The message by the PDPC is clear – all organisations, large or small, must have internal personal data protection policies and practices, and must be able to demonstrate and show compliance with these policies and practices when called upon to do so.

While an organisation may have data protection policies and practices in place, it is equally pertinent that these policies are clearly documented. If an organisation’s policies and practices are not clearly documented and is simply a corporate practice / tradition e.g. through custom or verbal instructions, it would inevitably be difficult to demonstrate compliance when called upon to do so by the PDPC.

Insofar as what constitutes appropriate data protection policies and practices, this would vary from organisation to organisation, depending on its business and operations. For example, in the M Star Movers case, the PDPC went so far as to state its expectations that organisations with a social media presence / platform used to communicate with customers ought to have specific policies to address the risk of disclosing personal data through these platforms:

Organisations with a social media or other online presence (e.g. social media forums), particularly those that rely on such platforms to communicate with its customers, ought to develop appropriate policies, practices and procedures that amply address the risks of disclosing personal data on social media or other online sites. Together, these policies, practices and procedures should seek to (i) ensure that staff who communicate through an organisation’s social media account or similar platforms are aware of the organisation’s data protection obligations and the importance and need to protect personal data; (ii) crystallise the organisation’s position on the circumstances in which it may be appropriate to disclose personal data on these platforms for example, disclosures for which individuals have already consented to; (iii) ensure that the organisation maintains an appropriate level of control on the content posted on these platforms (e.g. by limiting the number of staff who are allowed to post and placing conditions on these staff such as requiring them to undergo relevant data protection training); (iv) crystallise the organisation’s retention rules in respect of posts on such platforms; and (v) provide an avenue to escalate issues or queries to the appropriate function or role within the organisation.” [emphasis ours]

What are the chances of an investigation by the PDPC?

Between 2015 and 2017, the PDPC received over 8,600 complaints, with over 2,200 complaints in 2017 alone. Consequently, it is not a question of whether, but when, an organisation would be the subject of a complaint that prompts investigations by the PDPC. In the course of such investigations, the organisation would be expected to demonstrate and show all its data protection policies and practices to the PDPC to demonstrate compliance, and avoid sanctions.

Immediate action steps needed

Reactive organisations that wait until such investigations to start developing and implement their data protection policies and practices would be placed in an unfavourable position when defending themselves against enforcement action by the PDPC. At the very least, organisations should develop policies and practices relating to:

  • what type of personal data it may collect, and what should not be collected
  • storage and security of personal data
  • how long data would be kept for
  • how data would be deleted or destroyed

The policies cannot be templated documents. They must relate to the business carried out by the organisation, and must be commensurate with the nature and amount of personal data it handles as well as the risks to individuals. These policies will shape the behaviour of staff within the organisation, avoid breaches of the PDPA, and act as a mitigating factor in the event of an inadvertent breach.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.