Singapore

Singapore Image
LEG-01:

Legislation enacted specifically for data privacy?
– Personal Data Protection Act 2012

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Spam Control Act 2008
– Telecommunications Act 1999
– Computer Misuse and Cybersecurity Act 1997

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– APEC Cross-border Privacy Enforcement Arrangement (CPEA)
– APEC Privacy Framework

LEG-04:

Local government has any Bills going through the legislative process.

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.

LEG-06:

Has other state laws related to privacy.Note: these will not be identified as too extensive.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
– Personal Data Protection Act 2012 Section 5
Notes:Establishes the Personal Data Protection Commission

PRI-02:

There is a requirement to establish a privacy commissioner.

PRI-03:

The functions of the authority clearly set out.
– Personal Data Protection Act 2012 Section 6

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
– Personal Data Protection Act 2012 Section 11 (3)
Notes:Data Protection Officers

PRI-05:

Contact details of the privacy officer are made available.
– Personal Data Protection Act 2012 Section 11 (5)

PRI-06:

Each company to have an internal privacy policy proposed and displayed.
– Personal Data Protection Act 2012 Section 12

PRI-07:

An internal audit process is outlined for each company.
Notes:The Personal Data Protection Commission recommends the Data Protection Officers utilize their “Personal Data Protection Checklist for Organizations “. This will help to audit current policies

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Personal Data Protection Act 2012 Section 2. Notes: Personal Data

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Personal Data Protection Act 2012 Section 13

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– Personal Data Protection Act 2012 Section 16

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Personal Data Protection Act 2012 Section 18 – 20

PRO-01:

Individual has the ability to access their data by request.
– Personal Data Protection Act 2012 Section 21

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Personal Data Protection Act 2012 Section 22

PRO-03:

Data can be sent to a third party for processing.
– Personal Data Protection Act 2012 Section 4 (2) and 4 (3)
Notes: Third party referred to as a “data intermediary”

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
– Personal Data Protection Act 2012 Section 18

PRO-05:

Encryption used for processing of data to ensure anonymity
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method

PRO-06:

Unique identifiers can be used .
– Personal Data Protection Act 2012 Section 25. Notes:Although this section is to do with data retention it is implied that identifiable characteristics should be removed as soon as possible.

PRO-07:

Information may not be disclosed, sold or interfered with.
– Personal Data Protection Act 2012 Section 13 and 59

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Personal Data Protection Act 2012 Section 51 – 56

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– Personal Data Protection Act 2012 Section 12 and 27 – 32

STO-01:

All data is stored with at least a “reasonable” level of security.
– Personal Data Protection Act 2012 Section 24

STO-02:

Encryption techniques used to store data.
Notes:Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method

STO-03:

Data can be transferred to third-parties to use.
– Personal Data Protection Act 2012 Section 4 (2) and 4 (3)

STO-04:

Data can be stored off shore in different Country.
– Personal Data Protection Act 2012 Section 26

STO-05:

Data can be stored off site but in same Country.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Personal Data Protection Act 2012 Section 25

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Personal Data Protection Act 2012 Section 51 – 56
Notes:Not specific to storage

STO-09:

Notification has to be given to individuals in case of a data breach.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
– Spam Control Act 2008 SECOND SCHEDULE Section 2

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– Spam Control Act 2008 SECOND SCHEDULE Section 3(d)

SPM-03:

Subject line to be clear and not misleading.
– Spam Control Act 2008 SECOND SCHEDULE Section 3(a) and 3(b)

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– Spam Control Act 2008 Section 9

SPM-05:

A form of a “Do Not Call” register is in place.
– Personal Data Protection Act 2012 Section 39

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– Personal Data Protection Act 2012 Section 11

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.
– Personal Data Protection Act 2012 Section 11.
Notes: The definition in Section 7 of a Singapore Link” may be needed for further explanation

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.

INT-05:

External countries have the ability to intercept data with permission from the host country.

Singapore

Singapore Image