The Personal Data Protection Commission (PDPC) has revised Chapter 6 (Organisations) and Chapter 15 (Access and Correction Obligations) of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, or PDPA (the Guidelines).
Chapter 6 has been revised to provide clarity on the obligations of organisations and data intermediaries where personal data is transferred overseas.
- Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation, regardless of whether the personal data is transferred by the organisation to an overseas data intermediary, or transferred overseas by the data intermediary in Singapore.
- The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure it is capable of doing so.
Chapter 15 has been revised to provide clarity on access requests to personal data received by organisations.
- Where organisations need not accede to an access request
Generally, an organisation must respond to an access request by providing access to the personal data requested, or by informing the individual of a rejection of the access request where it has valid grounds not to provide access. The Guidelines clarify that organisations are not required to accede to a request
- if an exception (as set out in the Fifth Schedule of the PDPA) from the access requirement applies;
- if applicant has not paid the fee for services provided to the applicant to enable the organisation to respond to the applicant’s request, provided the organisation has provided the applicant a written estimate of the fee; or
- if any of the grounds in Section 21(3) of the PDPA are applicable such as where the provision of the personal data or other information could reasonably be expected to threaten the safety or physical or mental health of an individual other than the requesting individual, or to cause immediate or grave harm to the safety or physical or mental health of the requesting individual.
- Access requests relating to legal proceedings
Where personal data has been collected for the purpose of prosecution and investigations, etc, organisations are not required to accede to the access request pursuant to an exemption under the PDPA. Access need not be provided in respect of a document related to a prosecution if all proceedings related to the prosecution have not been completed.
The Guidelines clarify that where personal data has been collected prior to the commencement of prosecution and investigations but is nevertheless relevant to the proceedings, an individual should obtain access through criminal and civil discovery avenues rather than through an access request under the PDPA. The PDPA does not affect discovery obligations under law that parties to a legal dispute may have (e.g., pursuant to any order of court).
The PDPC has also introduced a new chapter on "Cloud Services" in the Guidelines on the PDPA for selected topics to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud and the responsibilities of cloud service providers (CSPs) when processing personal data on behalf and for the purposes of organisations.
- Obligations of the organisation
- When using cloud services, the organisation is responsible for complying with all obligations under the PDPA in respect of personal data processed by the CSP on its behalf and for its purposes.
- As mentioned above, the organization that engages a CSP as a data intermediary to provide cloud services is also responsible for complying with the Transfer Limitation Obligation with respect to any overseas transfer of personal data in using the CSP’s cloud services, regardless of whether the CSP is located in Singapore or overseas.
- Obligations of the CSP
- Where the CSP is processing personal data on behalf and for the purposes of another organisation pursuant to a written contract, the CSP is considered a “data intermediary” and subject to the Protection and Retention Limitation Obligations under the PDPA in respect of the personal data that it processes or hosts for the organisation in data centres outside Singapore.
- The CSP, as an organisation in its own right, remains responsible for complying with all data protection provisions in respect of its own activities which do not constitute processing of personal data under the contract.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Wai Ming Yap*
*A solicitor of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP