On 15 Oct 2012, Singapore’s Parliament passed the Personal Data Protection Bill, a law enacted to protect the personal data of individuals. With it comes the creation of a new government entity, the Personal Data Protection Commission and a National Do-Not-Call Registry (DNC). The Personal Data Protection Commission will oversee and enforce matters relating to the Act while the DNC allows individuals to register their number if they do not wish to be contacted by businesses for commercial purposes.

The registry is expected to be ready for public to sign-up in early 2014.

The impetus for Singapore to pass such a law is economic survival. For a country without a provision for the protection of privacy in its constitution, this is unsurprising. For more than a decade we have resisted such a law on the grounds that it will unnecessarily burden SMEs.  Previously, the Model Data Protection Code introduced in 2002 for voluntary adoption was considered sufficient. The introduction of this bill now brings us up to the information protection levels of countries such as Hong Kong, Canada, New Zealand, neighboring Malaysia and the E.U.
This far reaching law will affect all organizations and businesses except government agencies. All entities in possession and control of personal data will have to check if they need to comply. One example would be the use and storage of personal data for Human Resource (HR) purposes. With the new law in effect, after recruitment exercises, HR has to technically destroy the personal data of unsuccessful candidates. Transactions such as mergers and acquisitions, amalgamation, leasing or financing will now have to take this law into account, if personal data is used. Telemarketers will need to send their database to be filtered by the Do-Not-Call Registry.

Violators can be charged up to $10,000 for every unsolicited marketing call and be fined up to $1 million for every data protection offense.

Not all data fall within the ambit of the Act. One general exception is business contact details, information you usually find on business cards.

The law has a sunrise period of 18 months for compliance with the data protection regime. During this period, all organizations with a database of personal data should start designating a person to be in charge. Their contact information must be made public. Organizations should also carry out an internal audit to ensure compliance with the law.
Should you require any assistance, please contact George@georgehwangllc.com