Market Research and the New Personal Data Protection Law

The Personal Data Protection Act (“PDPA”) came into being in Jan 2013. By 2 Jul 2014, full compliance is expected from all private business entities.

Market research usually looks at the behavioural patterns of individuals or consumers. The PDPA protects the data privacy of individual. Therefore, market research which analyses the preferences of the consumers by gathering and analysing consumer data and spending habits will have one more area of law to contend with.

Before 2 Jul 2014

Prior to 2 Jul 2014, a market researcher needs only be concerned with the law of confidence. Once consent from the owner of the confidential information is obtained, he no longer has any woes.

A typical market research entails the gathering of personal information of individuals, their habits or behavioural patterns. These personal information are usually confidential information belonging to the subject interviewed. Consent forms are often signed by the interviewees to ensure that the research company can use their data.

The information gathered and resulting analysis will be protectable as confidential information and copyright. Naturally, these intellectual property originate from the personal and confidential information belonging to the subject interviewed. The consent given acts as a licence for the market researcher to use the ensuing intellectual property.

Where a 3rd party market research company is commissioned to conduct market research, the findings and conclusions are usually legally transferred to the commissioner in the form of a licence.

Difference between Personal Data and Protectable Information in the Law of Confidence

The law of confidence protect all kinds of information subject to the requirements that the information is not in the public domain nor trivial “tittle tattle”, whereas “personal data” refers to data which is identifiable with an individual. It must be data related to a natural person and not a legal person e.g. a company.

The law of confidence protect information which belongs to the government and businesses, besides those of an individual. The 2 overlaps in the arena of personal information.

Whilst information in the public domain will render the information no longer one which is protectable by the law of confidence, being in the public domain does not mean that the information is no longer personal data. However, for information in the public domain, the requirement of seeking consent from the data subject is no longer required for collection, use and disclosure.

Data which are anonymised will no longer be protected by the PDPA. This is because they are no longer identifiable with an individual, hence, can no longer be classified as personal data. A market research company may sell this form of data. However, this is not the same for confidential information. As long as the use is unauthorised, you are in breach of confidence. Whether you will be found out and sued is different from whether you are in breach. The breach of confidence is caused by unauthorised use. Herein lies the difference between protecting privacy and trust.

Differences between the Law of Confidence and PDPA

For the law of confidence to protect the personal data of the subject interviewed, the following conditions need to be fulfilled:

(a) the information to be protected must have the necessary quality of confidence about it;
(b) that information must have been imparted in circumstances importing an obligation of confidence; and
(c) there must be an unauthorised use of the information to the detriment of the party who originally communicated it.

If the use is authorised by the interviewee, there will not be any breach. This is not the case for personal data protected by the PDPA. Even if consent is granted, the data user or company holding the personal data will have to comply with a few other obligations stipulated by the PDPA. They include:

  1. The data subject or interviewee’s right to have access to his personal data.
  2. The duty to keep accurate information and to correct inaccurate information when requested to do so by the data subject.
  3. The duty to protect the data by keeping it secured.
  4. The duty not to keep the data for an unduly long period.
  5. The duty not to send the data to countries which do not afford equivalent protection.

Unlike the duty to not to collect, use or disclose without consent, the obligations listed cannot be contracted out. Obtaining the consent from the data subject that he or she will not access the data or request for correction does not exonerate the business or company from these duties. Therefore, companies will have to start implementing systems and policies to comply with these duties imposed by PDPA.

Similar Treatment for Compliance

Though personal data protection is different from protecting that of trust and confidence, the compliance measures of obtaining consent before collecting, using and disclosing personal data can be tackled together with that of protecting against being sued for breach of confidence. This is merely the use of obtaining express consent, evidenced in writing, before the interview where data is collected. The wordings will have to be tweaked to take the 2 sets of laws into account.

After 2 Jul 2014

As can be seen, besides consent, after 2 Jul 2014, a company embarking on consumer market research will have to take into account other duties within the PDPA. As the PDPA requires all businesses with personal data to appoint an officer to be in-charge, the first step to take is to create the position of Personal Data Protection Officer and appoint a suitable person for the responsibilities.

George Hwang
GEORGE HWANG LL.C.
8 August 2013

*This article is first published inthe Licensing Executive Society of Singapore’s inaugural newsletter, “Connect”, August 2013.

For more information, please contact george@georgehwangllc.com.