DAVID HK Lim MBA CEHA

HP: 82886878Email: davidlim@sgpersonaldataprotection.com

www.SGPDPA2012.com

Profile – Short Version

Previously worked for MNCs- NMB, McDonald’s, Seagate, Maxtor & SonyProduction, Program Mgt & Business Development-Asia Pacific, Middle East & South Africa

Own Business- Database Mining Consultancy- Real Estate Agency License- PDPA Seminars & Workshops

HIGHTLIGHTS

Singapore Personal Data Protection Act 2012Contents1) About SG PDPA Compliance2) What is Privacy ?3) What is the Purpose & Why ? 4) Penalties for non compliance ?4) Penalties for non-compliance ?5) 9 Organisation Obligations6) Do Not Call Registry7) Summary of PDPA Compliance Framework8) 3 Major Recommendations – Management Tools9) Seminar on 13 Sept 2013, 2pm to 5pm, M. Hotel

Seminar – Overview

Just 4 StepsSystematic Approach

Understanding & ComplianceUnderstanding & ComplianceSingapore Personal Data Protection Act 2012

13 September 2013, 2pm to 5pm, M.Hotel

David HK LimSG PDPA Compliance Resources Centre

Seminar Overview Singapore Personal Data Protection Act 2012

Contents Outline

1. What is PDPA 2012 2. Data Protection Provisions- General Rules / Collection, Uses & Disclosure- Access & Correction / Care of Personal Data- Access & Correction / Care of Personal Data3. Do Not Call Provisions4. Offences, Penalties & Civil Action5) Summary outline of PDPA Compliance Framework 6) Ten Major Elements of an Effective Compliance Program.

One Stop PDPA Solutions• Provides One Stop PDPA Solutions• Work with Professionals, Experts, Businessmen,

Lawyers, IT Data & Security, Others in PDPA Compliance solutions

• PDPA Compliance Marketing Consultancy• Conducts PDPA Seminars & Training Workshops• Provides training for jobs as PDPA Compliance Officers

& Managers• Supply PDPA trained personnel to companies• Offer PDPA solutions in IT Data Security & Management

Systems• SOP PDPA Compliance Manuals by Industry

About PDPA - Video

Your company MUST mandatory comply if :-

a) hire any employeesb) sell directly to individuals

c) collects personal data for business

d) deploy cold calls, sms or fax marketing.• You must appoint ONE Compliance Officer.

• The penalty for non-compliance is up to S$1 million.

• You cannot SMS, Cold Call or Fax to those registered with Do-Not-Call registry list provided by the government.

• The penalty for DNC non- compliance is S$10,000

B2B / B2C / M2M

• B2B – Business to Business- Not applicable

• B2C Business to Consumer• B2C – Business to Consumer- Applicable

• M2M – Machine to Machine- Applicable ?

Under this SG PDPA Act 2012 -Organisation means

• Companies & Businesses• Sole Proprietors• Organisations, Societies & Associations• Churches, Temples & Religious bodies• Even Individuals included• All – as long as Personal Data is involved- Online, On Record – Digital or Physical

WHO ARE THE MAIN PERSONNEL INVOLVED PDPA COMPLIANCE? AND WHY?

• Top Management – Chairman, CEO, MD, & Biz Owners.- Why ? The Penalty up to S$1 million for non-compliance.

• Human Resources / Compliance - Team- Employees Data / Legal Counsel / Compliance Policies.

•Sales & Marketing – Do Not Call provisions (DNC)Sales & Marketing Do Not Call provisions (DNC)• Comply with SMS, Cold Calls & Fax regulations.• Penalty S$10,000 for organisation.

• IT – Data Security & Management • Internal threats - Secured & authorised access • External threats – Firewall & Cloud Computing

• Legal / Contract Laws involving different countries- eg, EU & Singapore- More than 50 countries already have PDPA laws & growing.

4 Types of Privacy

• Physical• Communications• Spiritual / Intellectual• Spiritual / Intellectual• Information / Data

Type 4 - Information / Data

- Name - Identity- Photo- Income- Income- Ethnic Group- Gender- Age- Marital Status- Educational Level

What is PDPA about?

• Singapore Personal Data Protection Act 2012

• Passed by parliament on 15 October 2012Governs the Collection, Uses & • Governs the Collection, Uses & Disclosure and Retention & Disposal of Personal Data

• Becomes Law on 2 January 2013.

What is the purpose of PDPA ?

• Safeguard individuals personal data against misuse

• Individuals has control over their data• Complement sector-specific framework, Complement sector-specific framework, • Enhance Singapore’s competitive

advantages - data hosting & management• To be consistent with international

standards• Complaints based approach

What is Personal Identifiable Information?

• Individually identifiable information, eg Name, NRIC, passport, photo, credit card, bank account, DNA, Thumbprint, mobile number, personal email, etc.

• Any set of matching data, eg name, address, age, telephone number, occupation, etc.

- Example 1: NRIC or Photo or Credit Card - YES- Example 2: Name only. Mary Tan alone – NO.- Example 3: Name with address. Mary Tan, Blk 123,

Yishun St. 61, 01-123 - YES

MAJOR METHODS PERSONAL DATA COLLECTION

• 1) LUCKY DRAWS - RETAIL• 2) SURVEY FORMS - INSURANCE• 3) JOB APPLICATIONS – HR• 4) PHOTOCOPY NRIC - REGISTRATION• 5) ONLINE MEMBERSHIPS – INTERNET• 6) COOKIES – EMBEDDED SOFTWARES• 7) WARRANTY CARDS – SERVICE CENTRES• 8) “HACKING” – ESPIONAGE

4 MAIN COMPONENTS OF PDPAMUST REMEMBER & TO COMPLY

• 1) COLLECTION & CONSENT• 2) USES & DISCLOSURE• 3) RETENTION & DISPOSAL• 3) RETENTION & DISPOSAL• 4) DO NOT CALL REGISTRY

Personal Data of -• Employee’s personal data (HR Dept)• Customer’s personal data (individuals)

2 Examples – By IndustriesWhy must comply?

Example 1: SPAs • HR Dept. Employees Personal Data involved• Customers Contracts. Customers Individual Personal

Data involved.• Telemarketing / SMS. Individual Personal Data involved

name / mobile or telephone number– name / mobile or telephone numberExample 2: Leisure Cruises – many countries.• HR Dept. Employees Personal Data involved• Members. Customers individual Personal Data involved.• Telemarketing / SMS / Fax. Individual Personal Data

involved – name / mobile or telephone number• Transfer of Personal Data – different port of call.

Take Note: 3 Penalties of PDPA

• 1) No Compliance Policy - Penalty for organisation up to S$1 Million• 2) Non-Compliance Access & Correction

Penalty S$5,000 + Jail Term 12 months- Penalty S$5,000 + Jail Term 12 months• 3) Violation of Do-Not-Call provision- Penalty S$10,000 per violation

9 Obligations ALL Organisations MUST Comply

• 1) The Openness Obligation.• 2) The Consent Obligation.• 3) The Purpose Limitation Obligation.3) The Purpose Limitation Obligation.• 4) The Notification Obligation.• 5) The Access and Correction Obligation.• 6) The Accuracy Obligation.• 7) The Protection Obligation.• 8) The Retention Limitation Obligation.• 9) The Transfer Limitation Obligation.

National Do-Not-Call Registry

• “STN” : Singapore Telephone Number• Beginning with 3, 6, 8 or 9• “Specified Message” relating to supply,

promote of goods & services, land, promote of goods & services, land, business opportunity, obtaining information, etc

• Either Sender or Receiver in Singapore

What is National Do Not Call (DNC) registry about & coverage?

• Opt Out option for individuals NOT to receive any direct marketing

• Applicable to 3 registry-a) Telephone Registry: Voice calls (cold calls) a) Telephone Registry: Voice calls (cold calls) b) Text Registry: SMS (text message)c) Fax Registry: Fax • Direct Mailing (postal mailing) not included• Email is not included

PROPOSED FEE – ACCESS DNC

• Prepaid* 5K - $100, 10K - $150, 25K - $350, 100K -

$1,200, 250K - $2,700 & 1 Million - $10,000

• Pay-per-use fees** 1-300 @ $0.033, 301-5K @ $0.03, 5K-10K @

$0.026, 10K-25K @ $0.024,25K-100K @ $0.019, 100K-250K @ $0.015 & 250K-1 Million @ $0.012

Summary of PDPA Compliance Framework

• 1. Appointment of Data Protection Compliance Officer

• 2. PDPA Compliance System• 2.1. Data Protection Policy2.1. Data Protection Policy• 2.2. Compliance with 9 Organisation Obligations • 2.3. Compliance with the Do Not Call Provision• 2.4. Handling Complaints• 2.5. Communication of Policies & Practices• 2.6. HR issues.

3 MAJOR Recommendationsfor nominated Compliance Officer

Management Tools

• Design & Deploy Fact Finding Book- to manage & track whose fault - “Fault Finding Book”

Data Encryption & Security Solutions• Data Encryption & Security Solutions- to manage & track digital data usage & security

• Physical Data Security Solutions- to manage & track physical documents & disposal

Seminar

• Date: 13 September 2013. 2pm to 5pm.• Venue: M. Hotel. Anson Road/• Fee: S$650 per pax./ S$1,250 – 2pax.• Early Bird: S$600 per pax / S$1,225 – 2

pax. Register & paid up before 30 August 2013

• Limited to 20 pax only.

Q & A

Thank You !!