1. Scope
This Model Code describes the minimum requirements for the protection of personal information in the form of electronic data (“personal data”). Any applicable law must be considered in implementing these requirements.
1.1 The objective of this Model Code is to assist organisations in developing and implementing policies and procedures to be used when managing personal data.
1.2 Where appropriate, the following data processing activities may be exempted:
- Processing required by any law or by the order of a court;
- Processing by any person purely for that person’s family, household or personal affairs (including recreational purposes);
- Processing purely for journalistic, artistic or literary purposes;
- Processing by any organisation directly relating to a current or former employment relationship between the organisation and the individual;
- Any processing operations which are necessary to safeguard:
- National and public security;
- National defence;
- The prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;
- An important national economic or financial interest, including monetary, budgetary and taxation matters;
- A monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority;
- The protection of the individual or of the fundamental liberties of others under the Constitution; and
- Processing for research or statistical purposes, provided the results of the research or any resulting statistics are not made available in a form which identifies any individual.
1.3 The Model Code applies to the processing of personal data whether or not by electronic means.
1.4 The Model Code applies to any personal data which are processed or controlled by the organisation, regardless of whether the data are transferred out of Singapore.
The Model Code applies in favour of all persons, whether resident in Singapore or not, whose data are or have been processed by the organisation.
2. Definitions
The following definitions apply in this Model Code:
Collection – the act of gathering, acquiring, or obtaining personal data from any source, and whether directly or indirectly by any means.
Consent – voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organisation seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Control – in relation to an organisation, refers to its power to determine the purposes for which data are processed, and the manner in which they are processed.
Disclosure – making personal data available to others outside the organisation.
Individual – refers to the individual to whom the personal data relates.
Organisation – a term used in the Model Code that includes associations, businesses, charitable organisations, clubs, institutions, professional practices, and unions.
Personal data – data, whether true or not, in an electronic form, which relate to a living person who can be identified:
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the organisation.
Processing – any operation or set of operations performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Third Party – any party other than the individual, the organisation or any person who processes personal data on behalf of the individual or the organisation.
Use – refers to the treatment and handling of personal data within an organisation.
3. General Requirements
3.1 The 10 principles in Part 4 are interrelated. Organisations adopting this Model Code shall adhere to all 10 principles as a whole.
3.2 Each principle is elaborated upon in the sub-paragraphs that follow it. These sub-paragraphs are intended to help readers understand the significance and the implications of the principles.
3.3 Provided the minimum requirements are met, organisations may adapt this Model Code to meet their specific circumstances by:
- defining how they subscribe to the 10 principles;
- developing an organisation-specific code; and
- modifying the text to provide organisation-specific examples.
For example, policies and procedures may vary, depending upon whether the personal data relate to members, employees, customers, or other persons.
4. Principles
4.1 Principle 1 – Accountability
An organisation is responsible for personal data in its possession or custody.
Where the personal data is under the control of the organisation, the organisation shall, in addition, designate a person or persons who are accountable for the organisation’s compliance with the following principles.
4.1.1 Where data are to be transferred to someone (other than the individual or the organisation or its employees), the organisation shall take reasonable steps to ensure that the data which is to be transferred will not be processed inconsistently with this Model Code.
4.1.2 Accountability for the organisation’s compliance with the principles rests with the designated person(s), even though other persons within the organisation may be responsible for the day-to-day collection and processing of personal data. In addition, other persons within the organisation may be delegated to act on behalf of the designated person(s).
4.1.3 The identity of the person(s) designated by the organisation to oversee the organisation’s compliance with the principles shall be made known upon request.
4.1.4 Organisations shall implement policies and procedures to give effect to the principles. These may include:
- implementing policies and procedures to protect personal data;
- establishing policies and procedures to receive and respond to complaints and inquiries;
- training staff and communicating to staff data about the organisation’s policies and procedures; and
- providing relevant information to explain the organisation’s policies and procedures.
4.2 Principle 2 -Specifying Purposes
The purposes for which personal data are collected shall be specified by the organisation.
4.2.1 These purposes shall be documented.
4.2.2 The identified purposes should be specified to the person from whom the personal data is collected or to the individual (“the relevant party”). Depending upon the way in which the data are collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
4.2.3 The organisation shall specify these purposes at or before the time the data are collected or, in the event that this is not practicable, as soon thereafter as is reasonable.
4.2.4 When personal data that have been collected are to be used for a purpose not previously specified, the new purpose shall be specified to the relevant party prior to use. The use of such data is still subject to the other principles in this Code.
4.2.5 The purposes must be specified in such a manner that the individual can reasonably understand why the data is being collected and how the data will be used or disclosed.
4.3 Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal data to a third party, save where the following exceptions apply.
Collection without knowledge or consent of the individual is permitted where:
- All of the following apply:
- the collection is clearly in the interest of the individual;
- it is impracticable to obtain the consent of the individual to that collection; and
- if it were practicable to obtain such consent, the individual would be likely to give it.
- Collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the data where such collection pertains to an investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being, or is about to be committed;
- Data is being collected in an emergency that threatens the life, health or security of a person; or
- Collection is of data which is generally available to the public.
Use without knowledge or consent of the individual is permitted where:
- All of the following apply:
- the use is clearly in the interest of the individual;
- it is impracticable to obtain the consent of the individual to that use; and
- if it were practicable to obtain such consent, the individual would be likely to give it.
- Data is used in the investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being, or is about to be committed;
- Data is being used in an emergency that threatens the life, health or security of a person; or
- Use of data which is generally available to the public.
Disclosure to a third party without knowledge or consent of the individual is permitted where:
- All of the following apply:
- the disclosure is clearly in the interest of the individual;
- it is impracticable to obtain the consent of the individual to that disclosure; and
- if it were practicable to obtain such consent, the individual would be likely to give it.
- Disclosure is made to a solicitor representing the organisation;
- Disclosure is necessary for the purposes of establishing, exercising or defending legal rights;
- Disclosure is to a government agency that has made a lawful request for the data;
- Disclosure is made to a person who needs the data because of an emergency that threatens the life, health or security of a person;
- Disclosure is made to an institution whose purpose is the conservation of records of historic or archival importance and disclosure is for such purpose;
- Disclosure is of data which is generally available to the public in that form; or
- Disclosure is reasonable for purposes related to the investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being or is about to be committed.
4.3.1 Consent shall be obtained by the organisation at or before the time of processing except that where an organisation wants to use data for a purpose not previously identified, consent with respect to use or collection may be obtained after the data are collected but before use.
4.3.2 An organisation may not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of data beyond that required to fulfil the specified, and legitimate purposes.
4.3.3 The form of the consent sought by the organisation may vary, depending upon the circumstances and the type of data. In determining the form of consent to use, organisations shall take into account the sensitivity of the data.
4.3.4 Consent does not have to be obtained by the organisation directly from the individual. Consent can be given by an authorised representative (such as a legal guardian or a person having power of attorney).
4.3.5 Consent shall not be obtained through deception or by providing misleading or incomplete information.
4.3.6 The way in which an organisation seeks consent may vary, depending on the circumstances and the type of data collected. An organisation should generally seek express consent when the data are likely to be considered sensitive. Implied consent would generally be appropriate when the data are less sensitive.
4.3.7 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual may only be subjected to consequences because of this decision where the information is required to fulfil the specified, and legitimate purposes set out by the organisation (e.g. in the absence of the data on which to assess an individual’s creditworthiness, an organisation may refuse to extend credit to him). The organisation should inform the individual of the implications of such withdrawal.
4.4 Principle 4 – Limiting Collection
Except as provided below, the collection of personal data shall be limited to that which is necessary for the purposes specified by the organisation.
Data shall be collected by fair and lawful means.
Collection beyond purposes specified is permitted where:
- All of the following apply:
- the collection is clearly in the interest of the individual;
- it is impracticable to obtain the consent of the individual to that collection; and
- if it were practicable to obtain such consent, the individual would be likely to give it.
- Collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the data where such collection pertains to an investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being, or is about to be committed;
- Data is being collected in an emergency that threatens the life, health or security of a person;
- Collection is of data which is generally available to the public; or
- The individual consents to the collection.
4.4.1 Organisations shall not collect personal data indiscriminately. Both the amount and the type of data collected shall be limited to that which is necessary to fulfil the purposes identified.
4.5 Principle 5 – Limiting Use, Disclosure, and Retention
Except as provided below, personal data shall not be used or disclosed to a third party for purposes other than those for which it was collected, unless the individual consents to such use or disclosure.
Subject to any applicable legal requirements, personal data shall be retained only as long as necessary for the fulfilment of those purposes.
Use beyond the purposes for which it was collected is permitted where:
- All of the following apply:
- the use is clearly in the interest of the individual;
- it is impracticable to obtain the consent of the individual to that use; and
- if it were practicable to obtain such consent, the individual would be likely to give it.
- Data is used in the investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being, or is about to be committed;
- Data is being used in an emergency that threatens the life, health or security of a person;
- Use of data which is generally available to the public; or
- The individual consents to the use.
Disclosure beyond the purposes of collection is permitted where:
- All of the following apply:
- the disclosure is clearly in the interest of the individual;
- it is impracticable to obtain the consent of the individual to that use; and
- if it were practicable to obtain such consent, the individual would be likely to give it.
- Disclosure is made to a solicitor representing the organisation;
- Disclosure is necessary for the purposes of establishing, exercising or defending legal rights;
- Disclosure is to a government agency that has made a lawful request for the data;
- Disclosure is made, on the initiative of the organisation, to an investigative body appointed by the organisation, or to a government agency for investigative purposes;
- Disclosure is made to a person who needs the data because of an emergency that threatens the life, health or security of a person;
- Disclosure is made to an institution whose purpose is the conservation of records of historic or archival importance and disclosure is for such purpose;
- Disclosure is of data which is generally available to the public in that form; or
- Disclosure is made by an investigative body and the disclosure is reasonable for purposes related to the investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being or is about to be committed.
4.5.1 Organisations using personal data for a new purpose shall document this purpose in accordance with the Specifying Purposes principle (Principle 2).
4.5.2 Organisations should develop guidelines and implement procedures with respect to the retention and destruction of personal data. Personal data that have been used to make a decision about an individual shall be retained long enough to allow the individual access to the data after the decision has been made.
4.6 Principle 6 – Accuracy
Personal data shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
4.6.1 Personal data should be collected directly from the individual as far as it is practicable to do so.
4.6.2 An organisation shall request updates of personal data from individuals only where the update is necessary to fulfil the purposes for which the data were collected.
4.6.3 The organisation, in complying with this principle, may take into consideration the extent to which compliance is reasonable.
4.7 Principle 7 – Safeguards
Personal data shall be protected by appropriate security safeguards.
4.7.1 The security safeguards shall protect personal data against accidental or unlawful loss, as well as unauthorised access, disclosure, copying, use, or modification. Organisations shall protect personal data regardless of the format in which they are held.
4.7.2 The nature and extent of the safeguards will vary depending on: –
- the sensitivity of the data that have been collected;
- the amount, distribution, and format of the data;
- the method of storage;
- the state of technological development; and
- the cost and reasonableness of implementation of the safeguards.
4.7.3 The methods of protection may include one or more of the following:
- physical measures, for example, secured filing cabinets and restricted access to offices;
- organisational measures, for example, security clearances and limiting access on a “need-to-know” basis;
- technological measures, for example, the use of passwords and encryption, as may be available, appropriate and reasonable from time to time.
4.7.4 Organisations shall make their employees aware of the importance of maintaining the confidentiality of personal data.
4.7.5 Reasonable care shall be used in the disposal or destruction of personal data, to prevent unauthorised parties from gaining access to the data.
4.8 Principle 8 – Openness
An organisation shall make readily available information about its policies and procedures for handling personal data.
4.8.1 Organisations shall be open about their policies and procedures with respect to the management of personal data. Individuals should be able to acquire information about an organisation’s policies and procedures without unreasonable effort. Such information shall be made available in a form that is generally understandable.
4.8.2 The information made available shall include –
- the name/title and address of the person who is accountable for the organisation’s policies and procedures and to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal data held by the organisation;
- a description of the type of personal data held by the organisation, including a general account of their use;
- a description of the organisation’s policies or standards; and
- what personal data are generally made available or are likely to be made available to other organisations, including related organisations such as subsidiaries.
4.9 Principle 9 – Individual Access and Correction
Subject to the following exceptions, an individual shall upon his request be informed of the existence, use, and disclosure of his personal data and shall be given access to that data. An individual shall be able to challenge the accuracy and completeness of his personal data and have them amended as appropriate. The reasons for denying access should be provided to the individual upon request.
The organisation shall refuse the request where:
- providing access would be likely to reveal personal data about another person, unless:
— the said person consents to the access; or
— the individual needs the information because a person’s life, health or security is threatened,
provided that where the data about the said person is severable from the record containing the data about the individual, the organisation shall sever the data about the said person and shall provide the individual access; or - an investigative body or government agency, upon notice being given to it of the individual’s request, objects to the organisation’s complying with the request in respect of its disclosures made to or by that investigative body or government agency.
The organisation may refuse the request where:
- Data is protected by solicitor-client privilege;
- It would reveal data that cannot be disclosed for public policy, legal, security, or commercial proprietary reasons provided that where the personal data about the individual is severable from the record that cannot be disclosed for public policy, legal, security or commercial proprietary reasons, the organisation shall sever the data and give the individual access;
- It would threaten the life, health or security of a person;
- Data was collected under 4.3(b) (generally, collection pertaining to an investigation of a breach of an agreement or the law);
- Complying with the request would be prohibitively costly to the organisation; or
- The request is frivolous or vexatious.
4.9.1 Upon request, an organisation shall inform a person whether or not the organisation holds personal data about the person. Organisations are encouraged to indicate the source of this data. The organisation shall allow the individual access to this data. In addition, the organisation should provide confirmation as to whether or not data relating to him are being processed and data at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed.
4.9.2 An organisation shall verify the identity of the individual concerned before granting access. Further, the individual may be required to provide sufficient data to permit an organisation to provide an account of the existence, use and disclosure of personal data. The data provided shall only be used for this purpose.
4.9.3 In providing an account of recipients or categories of recipients to which it has disclosed personal data about an individual, an organisation should attempt to be as specific as possible. When it is not possible to provide a list of the organisations to which it has actually disclosed data about an individual, the organisation should provide a list of organisations to which it may have disclosed data about the individual.
4.9.4 An organisation shall respond to an individual’s request within a reasonable time and may charge a reasonable fee for providing the information or data requested for. The requested data shall be provided or made available in a form that is generally understandable. For example, if the organisation uses abbreviations or codes to record data, an explanation shall be provided.
4.9.5 When an individual successfully demonstrates the inaccuracy or incompleteness of personal data, the organisation shall amend the data as required within a reasonable time. Depending upon the nature of the data challenged, amendment may involve the correction, deletion, or addition of data. Where appropriate, the amended data shall be transmitted to recipients having access to the data in question.
4.9.6 When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organisation. When appropriate, the existence of the unresolved challenge shall be transmitted to recipients currently having access to the data in question.
4.10 Principle 10 – Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for the organisation’s compliance.
4.10.1 Organisations shall put mechanisms and processes in place to receive and address complaints or inquiries about their policies and procedures relating to the handling of personal data. The complaint process should be simple and accessible.
4.10.2 Organisations shall inform persons who make inquiries or lodge complaints of the existence of relevant complaint mechanisms.
4.10.3 An organisation shall investigate all complaints. If a complaint is found to be justified, the organisation shall take appropriate measures, including, if necessary, amending its policies and procedures.
5. Transitional Provisions
Upon adoption of this Model Code, the Code applies to all personal data already in existence. However, organisations may be allowed a transitional period of up to one year to comply with Individual Access and Correction principle (Principle 9).