This is my first piece for this column. It is indeed an honour and pleasure to be writing on a subject close to my heart and practice, franchising.
However, I am not writing about franchising per se for my “maiden” article. This is because of the deadline for compliance with the Personal Data Protection regime of the Personal Data Protection Act (“PDPA”), 2 July 2014, is here. The PDPA touches almost every private business in Singapore. For the same reasons, an article written by yours truly has been published in the Franchising and Licensing Association of Singapore’s newsletter for June 2014.
Whilst non-compliance could attract a maximum penalty of $1 million, businesses should look at it as opportunities. From the public relations or corporate image perspective, compliance would give consumers certain confidence in the organisation. From the administration perspective, it offers a good opportunity to review the organisation’s workflow, data security measures and other measures. One organisation which we are auditing has different forms for the same purpose.
What Does The Personal Data Protection Regime Protects?
The PDPA has two regimes. There is the “Do-Not-Call” regime (DNC) and the Personal Data Protection regime (PDP). The DNC regime was implemented in January this year and businesses have already been fined for non-compliance. The two are totally different. The DNC protects against the invasion of personal space, such as receiving unsolicited SMS, the PDP protects an individual’s data privacy. An individual may not even know that his data privacy has been infringed, whilst he would always know that his DNC rights have been breached. One such situation will be when personal data is being marketed.
Today, we are discussing about the PDP.
All private businesses which makes use of personal data needs to have a PDP compliance system. This is data which are identifiable with an individual. A group of data which pinpoints definitively to an individual is personal data. There could be data which is uniquely identifiable with an individual. This includes identity card and passport numbers. They cannot be attributed to others. For the same reason, mobile telephone numbers are personal data.
Activities Which Use Personal Data
Through my advisory work, I noticed that we can compartmentalize the activities which use personal data into three. They are:
1. Human Resource.
3. Nature of Business.
Category 3 is where the use of personal data is integral to the business. They would include businesses which collect and use personal data:
a. because of warranties given for their products;
b. for reservations purposes; and
c. for security purposes.
As we can see, Category 3 is not limited to banks and credit card companies. Car dealers, restaurants and hotels are within this category, too. It is common for restaurants to ask for or be given mobile telephone numbers when taking reservations. Some top end restaurants even require credit card information because they have a month long reservations in the book.
The Food and Beverage and Hospitality industry is one where many franchises exist. Whilst the luxury product boutiques, another highly franchised industry, could theoretically stop collecting personal data to invite its customers for fashion shows, private views and sales, businesses in category 3, where the collection and use of personal data is necessary for it to function; cannot.
It is interesting that the misconceptions have morphed. At the beginning of this year, many businesses were surprised that not sending out sms messages for their marketing activities is not enough. Now, many are equally surprised that having a policy which generally comply with the nine principles listed on the Personal Data Protection Commission’s website is inadequate. On closer look, none of the businesses comply with two of the nine principles in their data protection policies, if they have any. They are:
1. Access and Correction Principle.
2. Openness Principle.
No organisations which we consulted have a system which allows a data subject to check the information relating to him in their database. Needless to say, it follows that correction could hardly be demanded by the data subject. As for the “Openness Principle”, even if there is one, it is seldom enough.
In order to comply with the Act, private businesses need to do the following:
1. Appoint at least one Data Protection Officer (“DPO”).
2. Ensure that the DPO can be easily contactable by the public.
3. Create a set of manuals for the policies and practices to be developed.
4. Develop a process to handle complaints.
5. Make the information regarding it’s:
(a) personal data protection policies and practices; and
(b) complaints handling mechanism available to the public upon request.
6. Ensure that their personnel are adequately trained with regards to the personal data protection compliance system.
As mentioned in the introduction, personal protection compliance should be looked at as a business opportunity. Many organisations, such as Singapore Airlines and the Esplanade Theatres, have taken this approach by communicating to their clients and patrons how important their personal data mean to them. Therefore, there is no reason to delay in implementing a Personal Data Protection Compliance System.
George Hwang, Director at George Hwang LL.C, a law firm based in Singapore. Known for his clarity and focus, commercial acumen and strategic foresight, George's practice focuses on Intellectual Property, Information Technology, Entertainment and Media Law. With more than 15 years of experience in the industry, George is the leading expert in copyright contracts, IP transactions and management.
George can be reached at email@example.com.