Legal Bulletin July 2016

Home : Publications:Legal Bulletin July 2016


Published date: 27 Jul 2016

PDPC revises advisory guidelines and announces new/updated guides and initiatives

In July 2016, the Personal Data Protection Commission (“PDPC”) made further revisions to existing Advisory Guidelines on withdrawal of consent requirements, and also announced new/updated guides and initiatives to help organisations with implementing good personal data management and security practices. The PDPC has also adopted a practice of regularly posting new Grounds of Decision on the PDPC website.
 
Revised advisory guidelines on withdrawal of consent requirements
 
On 15 July 2016, the PDPC revised the “Consent Obligation” chapter in the “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” to provide further clarity on the withdrawal of consent requirements, including how organisations are to facilitate and effect withdrawal of consent requests.
 
One key revision provides clarity where a withdrawal notice for marketing is kept general (i.e. where the withdrawal notice does not clearly indicate in what manner a withdrawal request will be treated). In such instances, the PDPC will “typically” consider such withdrawal of consent sent via a particular channel to only apply to marketing messages sent via that same channel. This may provide some relief to organisations, but it bears highlighting that the revised advisory guidelines also state that withdrawal notices should be not kept general and encourage organisations to include in withdrawal notices information on how individuals may withdraw consent for other matters.
 
Further, organisations who require more than 10 business days from the date of receipt of a withdrawal notice to effect the withdrawal, should as a “good practice” inform the individual of the time frame by which the withdrawal of consent will take effect. Under section 16 of the Personal Data Protection Act 2012 (“PDPA”), individuals may withdraw consent on giving reasonable notice.
 
New/updated guides and initiatives to help organisations implement good personal data management and security practices
 
On 20 July 2016, the PDPC announced the following new/updated guides and initiatives to help organisations with implementing good personal data management and security practices. The new Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data is likely to be the most useful to organisations. While the sample contractual clauses provided do not contain anything novel for organisations who have previously completed PDPA compliance effectively and have kept up-to-date with previous guides issued by the PDPC, they are a useful checklist of the expectations of the PDPC and may provide an opportunity to update internal precedents:
 
·         New Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data: This new guide provides sample contractual clauses that organisations may refer to when engaging vendors to provide services relating to the processing of personal data. However, the use of the sample clauses does not necessarily mean compliance with the PDPA or any other law.
 
·         Helping SMEs develop good data management processes and systems: The PDPC is collaborating with SPRING Singapore to help interested small and medium enterprises (“SMEs”) tap on SPRING’s Capability Development Grant (CDG) to defray up to 70% of qualifying project costs such as consultancy and training, assessments and audits, and adoption of data protection software solutions. This is to help SMEs develop good data management processes and systems to secure the data they hold.
 
·         Training of data protection officers (“DPOs”): The Workforce Development Authority’s (WDA) Business Management Workforce Skills Qualification PDPA course will be further enhanced for the training of DPOs and serve as a foundation for the eventual professionalisation of DPOs. DPOs are mandatory under the PDPA and they are integral for organisations to implement responsible data sharing practices.
 
·         New Guide to Building Websites for SMEs: This new guide helps SMEs understand common protection measures required when setting up websites that collect or store personal data and the considerations to be taken when outsourcing such works to IT vendors. For example, the guide covers issues relating to confidentiality, incident management, server and network security, and website programming.
 
·         New Guide to Disposal of Personal Data in Physical Medium: This new guide provides guidance on the disposal of physical medium (largely paper) containing personal data and the different ways of disposal available. There is a helpful checklist of good practices that organisations may refer to when assessing their practices in disposal of personal data on documents. For example, if an organisation recycles used paper, the staff should be reminded to check whether there is personal data left on the recycled paper, or whether the shredding machine is regularly cleared and serviced, or whether there are disposal policies in place which determine how different data must be disposed.
 
·         Updated Guide to Securing Personal Data in Electronic Medium: This guide has been updated to include new information on cloud computing, IT outsourcing and security patching.
 
·         Collection of stories on sharing data protection practices by organisations in different sectors: The PDPC has also issued a compilation of articles sharing data protection practices by organisations in different sectors, with practical learning points that others may reference. These stories will also be documented on video and broadcast towards the end of 2016 to reach a wider audience.
 
Reference materials
 
The following reference materials can be found on the PDPC website www.pdpc.gov.sg:
 
·         Media release
 
 
 
 
 
 
 
 
 
 
 
 
·         Grounds of Decision
 
For other recent developments in relation to the PDPA, please click on the titles below to read previous articles which were featured in the Allen & Gledhill Legal Bulletin:
 
 
 
 
For further information, please contact:
 
+65 6890 7883
 
+65 6890 7627
 
+65 6890 7833
 

<Back to Legal Bulletin July 2016

Find a Publication

For more information on Singapore law, please go to: www.singaporelaw.sg