Add to collection(s) Add to saved
  1. Business
  2. Finance

pdf

advertisement 
Singapore Data Protection Act
Compliance in Asian Wealth Management Forum - 2015
Date 22 Jan 2015
Prepared for Hubbis (HK) Limited
Presentation by Rajesh Sreenivasan
Designation Lawyer Partner
Contact details +65 6232 0751
Overview of
Rajah & Tann
Singapore
2
Not to be reproduced or disseminated without permission.
Overview of Rajah & Tann Singapore
Largest law firm in Singapore and
Southeast Asia
Full service firm with the largest
regional footprint
Highly regarded for its
leading lawyers and practices
3
Not to be reproduced or disseminated without permission.
Overview of Rajah & Tann Singapore
Lex Mundi
World's top independent
alliance of leading law firms
Rajah & Tann - the member
firm for Singapore
Providing clients a truly
global reach
4
Not to be reproduced or disseminated without permission.
Practice Areas
Admiralty & Shipping
Energy & Resources
Appeals & Issues
Entertainment & Media
Banking & Finance
Family, Probate & Trusts
Business Finance &
Insolvency
Financial Institutions
Capital Markets
Commercial Litigation
Competition & Antitrust
and Trade Law
Hospitality
Insurance & Reinsurance
Construction & Projects
Integrated Regulatory
Corporate Real Estate
Intellectual Property,
Sports and Gaming
Employment & Executive
Compensation
5
Funds and Investment
Management
Not to be reproduced or disseminated without permission.
International
Arbitration
Medical Law
Mergers &
Acquisitions
Private Client
Project Finance
Tax
Technology, Media &
Telecommunications
White Collar Crime
Overview of Rajah & Tann Asia
Regional Offices
Affiliate/ Associate Firms
Regional Desks
6
Not to be reproduced or disseminated without permission.
Rajah & Tann Singapore LLP | Technology,
Media & Telecommunications Practice
Rajah & Tann LLP is one of the
largest full-service law firms in
Singapore and the Asia Pacific. We
are at the leading edge of Asian
law, having worked on many of the
biggest and highest profile cases in
the region. As a result, we've
developed
a
near-instinctive
understanding
of
the
issues,
opportunities
and
challenges
facing those doing business here.
We also have the reach and the
resources to deliver excellent
service to clients all over the
region, with offices in Shanghai,
Kuala Lumpur, Vietnam and Laos,
as well as specialist practice groups
focusing on Japan, South Asia and
Indonesia.
7
•
Our Technology, Media and Telecommunications
practice is one of the most established and respected
practices in its field in the Asia Pacific region. With
clients ranging from state governments and statutory
boards to multinational corporations in the
telecommunications, computer hardware and software
sectors, we’ve been involved in many of the largest and
most complex IT and telecommunications projects of
recent years
•
Led by Rajesh Sreenivasan who has over 15 years’
experience in this highly specialised area, and is the
only Asian lawyer nominated in the Expert Guides Best
of the Best Information Technology 2013, the team and
its partners have won numerous awards and accolades
for excellence in legal service over the years. The
experience and expertise of all our team members in
Singapore and across the region, some of whom have
worked
in
the
telecommunications
industry,
complement one another.
•
The work spans across the region and is not confined to
Singapore.
“This well-rounded TMT group has an excellent reputation…The firm’s
strength on the media side indicated by high-profile client wins…When it
comes to TMT law, they are at the cutting edge. They do all they can to
protect their client’s interests…”
Chambers Asia-Pacific
(2013 Edition)
Not to be reproduced or disseminated without permission.
Rajesh Sreenivasan, Partner
Head, Technology, Media & Telecommunications
Rajesh Sreenivasan has been advising clients on matter relating to
data protection, telecommunications, electronic commerce, IT
contracts, digital forensics and digital media for over fifteen years.
In the telecoms sector, Rajesh has structured complex IT and
telecoms infrastructure procurement agreements based on
traditional and PPP models and was the lead telecoms lawyer in
the first MVNO arrangements in both Singapore in 2002 and in
Malaysia in 2007 as well as lead counsel for on the of the largest
domestic submarine cables, the US$1.5 billion Palapa Ring project
in Indonesia.
On the regulatory front, Rajesh has assisted the telecoms regulator in Brunei in formulating
Brunei’s telecoms licensing regime, as well as the Ministry overseeing ICT in the Kingdom of
Lesotho, Africa, to draft its ICT legislation. Rajesh was also engaged by the ASEAN Secretariat
to facilitate a pan-ASEAN forum on legislative and regulatory reforms to collectively address
convergence of IT, telecoms and broadcasting across all 10 member countries and by the
Commonwealth Secretariat to co-lead an e-government capacity building exercise involving
all member Caribbean nations. From a legal-commercial perspective, Rajesh has assisted
leading organisations in Malaysia and Indonesia in drafting and negotiating complex IT
procurement contracts, shared services and outsourcing arrangements.
Rajesh has frequently been engaged by telecoms service providers and equipment
manufacturers to secure telecoms regulatory clearance in Singapore and the Asia-Pacific
region. His clients include state governments and multinational corporations in the
telecoms, computer hardware and software sectors government linked companies and
statutory boards.
8
Not to be reproduced or disseminated without permission.
Scope
Reception and Enforcement of Singapore’s PDPA
Main Implication for Advisors and Other Financial
Institution Personnel
Implications for Banks from a Governance
Perspective
How are the Banks responding - Balancing the PDPA
with Other Banking Obligations
Q&A
9
Not to be reproduced or disseminated without permission.
Reception and
Enforcement of the
PDPA
10
Not to be reproduced or disseminated without permission.
10
Overview of the PDPA
Came into
force on 2
July 2014
9 Data
Protection
Obligations
Personal Data
Protection Act
(‘PDPA’) 2012
Personal
Data Definition
11
Not to be reproduced or disseminated without permission.
Do-Not-Call
(‘DNC’) Provisions
came into force on
2 Jan 2014
The Data Protection Obligations
Consent
Purpose
Limitation
Openness
Transfer
Limitation
Notification
9 Data Protection Obligations
Access and
Correction
Retention
Limitation
Protection
12
Not to be reproduced or disseminated without permission.
Accuracy
Personal Data - Definition
Personal data relates to a natural person,
•
whether living or deceased, who can be identified
from that information
•
Covers both electronic and non-electronic data
•
In order to determine whether data falls under
the category of “personal data”, the following
criteria should be observed:
•
Identifiability: Does the data allow the identification of an
individual?
•
13
The data should relate to a specific individual.
Not to be reproduced or disseminated without permission.
Reception of PDPA
Organisations
Consumers
- > 80% are aware of DNC
requirements and how the DNC
Registry works
- 7 in 10 organisations are aware
of their obligations under the
PDPA
- 1 in 2 organisations indicated
that they have compliance
measures in place
- 4,986 organisations created a
DNC Registry account
- 469 million numbers checked
*Source: PDPC Website
14
Not to be reproduced or disseminated without permission.
- 7 in 10 noticed a reduction in the
number of telemarketing messages
received
- 6 in 10 saw improvement in
organisations’ practices such as
obtaining consent for
telemarketing messages and
including their contact information
in the telemarketing messages sent
- > 767,391 unique numbers
registered in various registers
Enforcement of PDPA
The Personal Data Protection Commission
•
(“PDPC”) has been set up to oversee the
implementation of the DP law
PDPC given the powers to
•
•
•
issue guidelines
•
give directions to remedy non-compliance
•
review complaints
•
initiate investigations
•
impose financial penalties (up to $1 million)
Any person who suffers loss or damage as a result of infringement of the
DP law can also institute civil proceedings against the infringing
organization
15
Not to be reproduced or disseminated without permission.
Enforcement of PDPA
• 27 August 2014 – Star Zest Home Tuition agency and its director, Mr Law
Han Wei, were each fined S$39,000 for 13 charges of failing to check the
DNC Register
• 16 January 2015 – Reported that both the company and the director are
under investigation again for breaches of the DNC policy
•
20 October 2014 – Mr Kuan Chow Sheng, a property agent, was fined
S$27,000 for 9 charges of failing to check the DNC Register
The PDPC has investigated more than 3,500 valid complaints against
various organisations since the DNC provisions took effect on 2 Jan
2014*
*Source: PDPC Website
16
Not to be reproduced or disseminated without permission.
Main Implications
for Advisors
17
Not to be reproduced or disseminated without permission.
17
Main Implications for Advisors
Under the DNC provisions of the PDPA, financial advisors, and other financial
•
institutions personnel dealing directly with clients and their personal data, must
ensure that they do not make calls or send texts messages that contain marketing
elements without first checking the DNC registry.
Covers messages sent via
•
•
Telephone calls
•
SMS/MMS
•
Fax
•
3 registers – one for each type of message covered
•
Persons in breach of DNC rules would be liable to penalties of up to
$10,000 per breach, and up to $1,000 in composition fines
18
Not to be reproduced or disseminated without permission.
Main Implications for Advisors
Check DNC
Registry
Receive DNC
Registry Results*
Not on DNC
Registry – May
proceed to make
the call or send
the message
On DNC Registry
– Do not
proceed to make
the call or send
any messages
*DNC Results are valid for 30 days
19
Not to be reproduced or disseminated without permission.
Main Implications for Advisors
•
Exemption To The Requirement To Check
•
The Personal Data Protection (Exemption from Section 43) Order 2013
announced on 26 December 2013 introduced an exemption from the
requirement to check.
•
An “ongoing relationship” exemption to check the DNC registry will apply
to text or fax messages, but not to voice calls.
•
Also, if the individual has given unambiguous consent to receiving such
marketing messages or calls, then there is no requirement to check
20
Not to be reproduced or disseminated without permission.
Main Implications for Advisors
Officers of a body corporate can be held liable of the office with
•
the body corporate and punished accordingly if the offence is
proved:
•
to have been committed with his or her consent or connivance, or
•
to be attributable to any neglect on his part
Liability of employers for acts of employees:
•
•
Any act done or conduct engaged in by a person in the course of his
employment shall be treated as done or engaged in by his employer as well as
him whether or not it was done or engaged in with the employer’s knowledge
or approval.
Breaches by an employee can be imputed to the Employer as well!
21
Not to be reproduced or disseminated without permission.
Implication for Banks
from a Governance
Perspective
22
Not to be reproduced or disseminated without permission.
22
Implication for Banks from a
Governance Perspective
Risk Management
23
Are there adequate
measures, policies and
protocols put in place to
ensure compliance with
the obligations under
the PDPA?
Are employees educated
about the institution’s
data protection
protocols?
Is there a process for
dealing with and
escalating matters or
complaints relating to
personal data?
Have both the PDPA
and other obligations
imposed by the MAS
been complied with?
Not to be reproduced or disseminated without permission.
Implication for Banks from a
Governance Perspective
•
Briefly, some measures organization are to carry out:
•
Appoint a DPO to be in charge of data protection issues;
•
Set up a DP task force;
•
Carry out an internal audit to ascertain where and how personal data is
currently collected, stored, used and disclosed;
•
Have Compliance Manual, internal guidelines, policies drafted and put in
place to map processes, for compliance with the PDPA;
•
Implement best practices to protect the organisation from unauthorized
loss or damage, security measures in preventing, detecting and dealing
with breaches, and staff selection and training;
24
Not to be reproduced or disseminated without permission.
Implication for Banks from a
Governance Perspective
Organisations should review existing practices:
Ensure that compliance programs that are in place comply with both the
•
PDPA and obligations imposed by the MAS
•
I.e. Banks must comply with both the security obligation under the PDPA as
well as the MAS Notice/Guidelines on Technological Risk Management
•
For instance, does the company allow employees to bring their own devices? If
so, what security measures are in place to ensure that there is no data leakage?
Check and assess contracts entered into and compliance with DP law in
•
dealings with contracting parties;
•
I.e. Must comply with both the PDPA and regulations imposed on Financial
Institutions, i.e. MAS Outsourcing Notice/Guidelines
25
Not to be reproduced or disseminated without permission.
Implication for Banks from a
Governance Perspective
Organisations should review existing practices:
Monitoring of the company’s employees’ use of company equipment and
•
network
•
Personal data of the company’s employees may be captured
•
May fall within the exception of being for the purpose of managing or
terminating an employment relationship
•
However, the company is still required to inform its employees of the purposes
of such collection, use or disclosure
PDPA does not prescribe manner of notification
•
•
Can be by way of employment contracts, employee handbooks, or notices in the
company intranet
•
26
New purposes may be notified by way of company email or internal memos
Not to be reproduced or disseminated without permission.
Implication for Banks from a
Governance Perspective
Personal Data of Existing Clients:
Financial Institutions may possess personal data of existing clients that was
•
collected before the PDPA came in to force.
Note that under the PDPA, such personal data can only be used for the purposes
•
that was it originally collected for.
These personal data cannot be use to market new funds to existing clients,
•
particularly those on the DNC registry.
27
Not to be reproduced or disseminated without permission.
Implication for Banks from a
Governance Perspective
Personal Data of Existing Clients:
DNC: the “Ongoing Business Relationship” exemptions may be applicable, but only
•
to text and fax messages.
Potential solution to marketing new funds to existing clients:
•
•
Fund Managers to email (in compliance with the anti-spam legislation) and ask for
clear, unambiguous consent.
•
Once consent is obtained, Fund Managers can market to existing clients through
calls.
28
Not to be reproduced or disseminated without permission.
How are the Banks
Responding - Balancing the
PDPA with other Banking
Obligations
29
Not to be reproduced or disseminated without permission.
29
How are the Banks Responding?
Most financial institutions have
completed compliance programs for
their organizations
Financial Institutions distribute
research reports periodically to
existing clients and potential
investors. Such reports may
constitute an inadvertent release of
information.
Internally - This includes drafting
compliance manuals, conducting
training for employees, assessing
contracts with subcontractors or third
party vendors
Can the exemption for research data
apply?
Short answer: No.
Externally – This includes making a
privacy policy publicly available,
sending data protection notifications
to existing customers and amending
forms and contracts to obtain consent
to collect, use and disclose personal
data from new clients.
PDPA obligations will still apply with
regard to obtaining consent from
individual for the use of their
personal data for such purposes.
Unlikely the conditions of the
exemption will be satisfied.
30
Not to be reproduced or disseminated without permission.
Balancing Other Banking Obligations
and the PDPA
•
Amendments of AML/CFT Notices on 1 July 2014
•
Amendments provided that customers will generally have the right to access and
correct their factual identification data (including personal data)
•
Access and correction rights also subject to certain exceptions provided for in the
PDPA, e.g. where a request for access would unreasonably interfere with the
operations of the organisation
•
“Connected parties” includes company directors, partners and natural persons with
executive authority , and covers any individual on whom Financial Institutions are
required to do AML/CFT related customer due diligence. MAS seeks to further
refine this definition in the future
31
Not to be reproduced or disseminated without permission.
Balancing Other Banking Obligations
and the PDPA
•
Amendments of AML/CFT Notices on 1 July 2014
•
Financial institutions may as per existing practice, collect, use and disclose personal
data without customer consent whether directly or through a third party (rules
governing data intermediaries as per PDPA)
•
The MAS also observed that as no customer consent is required in this context, it is
not possible for a customer to withdraw consent.
32
Not to be reproduced or disseminated without permission.
Balancing Other Obligations and the
PDPA
•
MAS Circular On IT Security Risks Posed by Personal
Mobile Devices – Sept 2014
•
Circular was issued to CEOs of all financial institutions (‘FIs’).
•
The Circular highlighted the growing trend of FIs allowing their employees to access
corporate email, calendars, applications and data from personal mobile devices.
•
There is a tension between such a practice and the MAS Technology Risk
Management Guidelines, whereby FIs are expected to develop a comprehensive data
loss prevention strategy to safeguard sensitive or confidential customer information.
This includes protecting data processed in end point devices, data in transmission as
well as data stored in servers.
•
Similarly, there is an obligation under the PDPA to take reasonable security
measures to protect personal data.
33
Not to be reproduced or disseminated without permission.
Balancing Other Obligations and the
PDPA
•
MAS Circular On IT Security Risks Posed by Personal
Mobile Devices – Sept 2014
•
The Circular highlighted the potential risks involved in adopting such a practice, and
emphasised that FIs need to be aware of the heightened security risks associated
with allowing employees to use their personal mobile devices due to challenges in
securing, monitoring and controlling such devices.
•
It was held in the Circular that FIs should not proceed with the BYOD
implementation if they are unable to adequately manage the associated security
risks.
•
Should BYOD be implemented, FIs are reminded to remain vigilant and keep pace
with technology advancement and emergent threats in the mobility space. Regular
vulnerability assessment and penetration testing must be carried out on the BYOD
infrastructure to ensure that any security gaps are identified and rectified promptly.
34
Not to be reproduced or disseminated without permission.
Balancing Other Obligations and the
PDPA
•
MAS Notice/Guidelines on Outsourcing (Under
Consultation) – Sept 2014
•
The MAS Notice and Guidelines on Outsourcing stipulates that Financial
Institutions are to include contractual provisions to require the service provider in
outsourcing arrangements to protect the confidentiality of customer information
that may be transferred.
•
Such provisions include the right to audit and inspect the security measures
employed by the service provider, the requirement to separate customer
information from other data and restrictions on further disclosure of customer
information unless required under a purpose relating to the outsourcing
arrangements.
35
Not to be reproduced or disseminated without permission.
Balancing Other Obligations and the
PDPA
•
MAS Notice/Guidelines on Outsourcing (Under
Consultation) – Sept 2014
•
Similarly, under the PDPA, organisations will be liable for data breaches caused by
data intermediaries who process personal data on the organisation’s behalf.
•
It is therefore advisable that organisations who engage data intermediaries also
include in their contracts provisions requiring the data intermediaries to comply
with the data protection obligations under the PDPA.
•
Though the MAS Outsourcing Notice and Guidelines are stricter in scope, there
appears to be a consistency between it and the PDPA.
36
Not to be reproduced or disseminated without permission.
How are they balancing the PDPA
with the Banking Act Obligations?
PDPA vs Banking Act (‘BA’)
•
Under the BA, banks are obliged to maintain banking secrecy and
may only disclose customer information (which includes personal
data) in circumstances specified by the BA.
•
Similarly, the PDPA provides that personal data can only be
disclosed with the individual’s consent, or so long as the disclosure
falls within certain specified exceptions.
•
There is an inconsistency between both Acts, as the BA provides for a
more limited set of circumstances where disclosure of personal data
is permitted.
37
Not to be reproduced or disseminated without permission.
How are they balancing the PDPA
with the Banking Act Obligations?
PDPA vs Banking Act (‘BA’)
•
In accordance with the PDPA, the provisions of other written law
shall prevail in the event of an inconsistency between the provisions
of the PDPA and the other written law.
•
This approach has been affirmed by the Advisory Guidelines on Key
Concepts in the PDPA.
•
However, where the BA does not address issues relating to personal
data protection, the PDPA will continue to apply
38
Not to be reproduced or disseminated without permission.
How are they balancing the PDPA
with the Banking Act Obligations?
Association of Banks Feedback to PDPC
•
The Association of Banks (‘ABS’) sent their feedback on the PDPA to
the PDPC on 20 June 2014.
•
The ABS submits that Financial Institutions and / or Banks should
be granted certain concessions from the PDPA.
•
However, it is unclear what other types of Financial Institutions
apart from Banks the ABS is referring to.
•
No news as of yet on the status of PDPC's position with regard to
ABS' feedback, but FIs should monitor this.
39
Not to be reproduced or disseminated without permission.
Questions
&
Answers
40
Not to be reproduced or disseminated without permission.
40
Thank you
41
Not to be reproduced or disseminated without permission.
41
Disclaimer
The material in this presentation is prepared for general information only and is not
intended to be a full analysis of the points discussed. This presentation is also not
intended to constitute, and should not be taken as, legal, tax or financial advice by
Rajah & Tann. The structures, transactions and illustrations which form the subject of
this presentation may not be applicable or suitable for your specific circumstances or
needs and you should seek separate advice for your specific situation. Any reference
to any specific local law or practice has been compiled or arrived at from sources
believed to be reliable and Rajah & Tann does not make any representation as to the
accuracy, reliability or completeness of such information.
42
Not to be reproduced or disseminated without permission.
43
Not to
to be
be reproduced
reproducedor
ordisseminated
disseminated
without
without
permission.
permission.
Related documents
NUHS PDPA Review Form
NUHS PDPA Review Form
Key points to brainstorm
Key points to brainstorm
document - Covenant Presbyterian Church
document - Covenant Presbyterian Church
Media Release - Personal Data Protection Commission
Media Release - Personal Data Protection Commission
Turn Compliance into Opportunity
Turn Compliance into Opportunity
Download
advertisement