PERSONAL DATA PROTECTION AND FRANCHISING
The Personal Data Protection Act 2012 (“Act”) protects an individual’s data privacy. Private organisations fall within its ambit.
Misconceptions on Compliance
Many organisations, especially, Small and Medium Size Enterprises believe that they comply with Act because they do not telemarket. Others believe they are in compliance simply because they have obtained the consent of the data subject or abide by the nine principles expounded in the Act. These are incorrect or only half correct.
The Act is has two regimes. One is the “Do Not Call” regime and the other relates to Personal Data Protection. We must not mix up the two. Also, we must fully understand and implement the Personal Data Protection compliance regime. Organisations should analyse their data management system carefully. Non-compliance could attract a fine of up to $1 million.
All members of Franchising and Licensing Association (Singapore) are private business entities. They would hire staff. This is a function of the business which will make use of personal data.
Further, most franchise businesses run on a B2C model. They would have direct marketing activities. As they are targeted at consumers, these activities are likely to be affected by the new law.
Three Different Regimes
Direct marketing activities are usually conducted either via email or telemarketing. There is also the customers loyalty programme. Email marketing activities are covered by the Spam Control Act. Telemarketing through faxes, SMS or voiced calls are governed by the “Do-Not-Call” Registration (“DNC”) regime of Act. As they all require collection and use of personal data, the Personal Data Protection regime (“PDP”) of the Act will governed.
Whilst the Spam Control Act and the DNC relates to the medium or channels which messages are communicated, the PDP relates to personal data privacy. In a certain way, the Spam Control Act and DNC protect the private or personal “space” of the recipient from being invaded. This article will neither comment on the Spam Control Act nor the DNC provisions of the Act.
Timelines for Compliance
The Act was passed in Parliament on 20 Nov 2012. Since then, two phases of implementation has taken place. They are:
1. the creation of the Personal Data Protection Commission (“Commission”) on 2 Jan 2013 and
2. the DNC regime on 2 Jan 2014.
The 3rd and final phase is the PDP. This is expected to take place on 2 July 2014.
What information is protected by the PDP?
The PDP applies to any information identifiable with a natural person unless expressly excluded.
Compliance with the PDP
In order to comply with the Act, an organisation needs to have the following:
1. Appoint a Data Protection Officer (“DPO”).
2. Ensure that the DPO can be easily contactable by the public.
3. Create a set of manuals for the policies and practices developed.
4. Develop a process to handle complaints.
5. Make the information regarding its:
(a) personal data protection policies and practices; and
(b) complaints handling mechanism available to the public upon request.
6. Ensure that their staffs are adequately trained with regards to the personal data protection compliance system.
The Act is broadly anchored on nine principles. An organisation’s personal data protection policies need to incorporate all the nine principles to fully comply. They are:
1. Consent obligation
2. Purpose limitation obligation
3. Notification obligation
4. Access and correction obligation
5. Accuracy obligation
6. Protection obligation
7. Retention limitation obligation
8. Transfer limitation obligation
9. Openness obligation
Differences in Law Before and After 2 July 2014
The law governing personal data prior 2 Jul 2014 is the law of confidence. There are also 150 piecemeal legislations. The Act thus will be the baseline legislation which applies to personal data across the board.
The difference between the law of confidence and the PDPA is that the former protects trust in a relationship, the latter, data privacy.
For the law of confidence to protect the personal data of the subject interviewed, the following conditions need to be fulfilled:
(a) the information to be protected must have the necessary quality of confidence about it;
(b) that information must have been imparted in circumstances importing an obligation of confidence; and
(c) there must be an unauthorised use of the information to the detriment of the party who originally communicated it.
This implies that as long as the recipient has not used the information in an unauthorized manner, the recipient of the information or data user has no other obligations. This is not the case for personal data protected by the PDPA. The obligations not covered by the law of confidence include:
1. Access and correction obligation – The data subject’s right to have access to his personal data and to demand that errors be corrected.
2. Purpose Limitation Obligation – The data user’s duty not to collect excessive information
3. Accuracy Obligation – The duty to keep accurate information and to correct inaccurate information
4. Protection Obligation – The duty to protect the data by keeping it secured
5. Retention Limitation Obligation – The duty not to keep the data for an unduly long period
6. Transfer Limitation Obligation – The duty not to send the data to countries which do not afford equivalent protection.
Therefore, companies will have to start implementing systems and policies to comply with these duties imposed by PDPA.
This article has been published in the 2014 June Edition of Franchising Licensing Society (FLA)