Financial Services Bulletin June 2016

Home : Publications:Financial Services Bulletin June 2016

Published date: 29 Jun 2016

PDPC issues new guide and amends advisory guidelines to help organisations manage requests for access to personal data

On 9 June 2016, the Personal Data Protection Commission (“PDPC”) issued a new “Guide to Handling Access Requests” (“Guide”). The Guide aims to help organisations effectively manage individuals’ requests for access to their personal data in compliance with the Personal Data Protection Act (“PDPA”). The Guide recommends that organisations should establish clear policies and processes for handling access requests, such as:
·         Stating clearly the access request channels available, for example, submission of an access request form can be in person, via e-mail or post, or how online retrieval of personal data can be performed.
·         Obtaining specific information from the individual requesting for access, to identify the individual and help locate the requested personal data.
·         Providing written estimates of any fee required for responding to an access request, and informing the individual in writing of any increment in the final fee. The set fees must be reasonable.
·         Providing access to requested personal data as soon as reasonably possible, and determining the response time if this is not possible within 30 days.
·         Setting out standard operating procedures for processing access requests (for example, the verification procedures to be followed for ascertaining the identity of the requestor), particularly where a request is on behalf of another, or where two or more individuals are requesting for respective personal data in the same set of records.
·         Providing access to requested personal data excluding any personal data for which PDPA exceptions and prohibitions apply.
·         Keeping a record of all access requests in case of any dispute or application to PDPC for review, subject to an appropriate retention policy.
·         Preserving personal data (subject to an appropriate retention policy) while processing an access request and after rejecting an access request in case of any application to PDPC for review.
The PDPC also revised the following Advisory Guidelines:
·         Advisory Guidelines on Key Concepts in the Personal Data Protection Act: Chapter 15 on “The Access and Correction Obligation” has been revised to provide further clarity on how organisations should handle access requests in certain situations, and the preservation of the requested personal data by organisations when processing or after rejecting an access request.
·         Advisory Guidelines on the Personal Data Protection Act for Selected Topics: Chapter 4 on “Closed-circuit Televisions Cameras (“CCTVs”)” has been revised to provide further clarity on organisations’ obligation to provide access to personal data in CCTV footage.
The amendments may be looked upon as a useful checklist for organisations to verify their PDPA compliance. In particular, organisations should be mindful of: (a) additional retention requirements which may apply when personal data is subject to an access request. For example, CCTV system may need to be checked and normal operation overridden where they are programmed to automatically overwrite the oldest stored data; and (b) the PDPC’s view that “obtaining consent” may address the prohibition in section 21(3)(c) of the PDPA against revealing personal data about another individual when responding to an access request.
Reference materials
The Guide and revised Chapters to the Advisory Guidelines can be retrieved from the PDPC website
For further information, please contact:
+65 6890 7883
+65 6890 7627
+65 6890 7833

<Back to Financial Services Bulletin June 2016

Find a Publication

For more information on Singapore law, please go to: