In January, the Personal Data Protection Commission in Singapore will celebrate its fifth anniversary. While any number of privacy regulators have popped up since the PDPC’s establishment – from the Philippines’ to Japan’s to Ghana’s – it’s still easy to think of Singapore as a relatively young governing body.
The Personal Data Protection Act didn’t even come into full effect until July 2, 2014. However, the PDPC has quickly established itself as one of the most active and involved regulators in the world, and anyone doing business on the island nation should be aware of what tends to draw the PDPC’s attention.
Truth be told, the PDPA isn’t a particularly stringent privacy law, particularly in the context of the EU’s upcoming General Data Protection Regulation, with fines up to 4 percent of global revenue, or Japan’s amended Act on the Protection of Personal Data, which places strict limits on how data can be moved outside the country. But a law is only as good as the enforcer behind it, and Singapore’s PDPC has shown it will actively enforce what power it has.
For instance, business contact information is almost entirely exempt from its provisions. And if you’re doing business on behalf of the government, you’re not covered by the law at all. Further, the PDPA contains a provision for implied consent when consumers volunteer data, which companies have interpreted broadly.
Publicly available data? Fair game. Are you using the personal data for evaluative purposes? No problem (nor is it entirely clear what “evaluative” means). There’s even a carve out for those using personal data for artistic or literary endeavors.
So, what does get you in trouble in Singapore? First and foremost, failing to properly secure personal information. Singapore applies the reasonableness standard here, which can be squishy, but what the PDPC has made clear is that just because you have a policy, and people are following the policy, doesn’t mean you’re safe.
In the case of DataPost, for example, the PDPC found that the company’s plan for ensuring that no one envelope contained the information of more than one customer was a bad one and involved too much risk from the outset, regardless of the fact that human error was to blame. In effect, the PDPC ruled DataPost should have expected human error with that particular process, and it therefore both fined the company and required a new process be put in place.
Note: PDPC investigations are thorough affairs and very well documented.
However, also note that the fine was just SING 3,000, or about $2,000. It was a relatively small breach and there was no evidence of actual harm. The largest fines this year were SING 10,000, and those for fairly egregious offenses, like publishing a do not call list on the Internet by mistake and leaving it there for anyone to fine.
In fact, the PDPC often issues warnings and “directions,” rather than issue a fine. Some of the directions might involve serious time and effort, such as a direction to institute new training procedures or a rewrite a policy, but they generally simply require a company to get up to speed with the generally recognized international norm for handling personal information.
They do, however, act pretty frequently. With 10 enforcement actions already this year, the PDPC is easily in the top 10 most active regulators in the world, and it’s perhaps not surprising. With the amount of time and resources the PDPC puts into its monthly newsletter, frequent guidance, appearances at events, and robust web site, those organizations that are not in compliance have been given fair warning and can hardly claim ignorance.
Further, PDPC investigations are generally begun following consumer complaint, which are largely triggered by obvious screw-ups (more than one customer’s information in a single envelope; customer lists thrown in the trash) or direct marketing that violates the do not call list. While these are often the result of human error, remember that the PDPC doesn’t necessarily accept that as an excuse. A little training ahead of time to prevent simple mistakes might be an investment worth making.
Essentially, Singapore and its commission go out of their way to make privacy and data protection easy for companies doing business there. If your company isn’t paying attention, you should expect a knock on the door.
Editor’s Note: RSA Conference and the International Association of Privacy Professionals combine to create a week of privacy and security programming in Singapore the week of July 24. The IAPP Asia Privacy Forum happens July 24-25, while RSAC APJ happens July 26-28. Both are at the Marina Bay Sands.