As a good practice, organisations should generally seek individuals' consent for marketing via a distinct opt-in selection when signing up for a product or service.
An organisation will not be considered to be requiring consent to market its products or services as a condition of providing a product or service, if it allows the individual to withdraw such consent and doing so will not result in ceasing of the provision of the product or service to the individual.
The organisation should clearly state how the individual may withdraw consent from marketing subsequently (e.g. by providing a link or an email address for the individual to opt out).
Organisations should also note that this approach to obtaining consent for sending marketing messages does not apply to sending of marketing messages via voice, text and fax where clear and unambiguous consent is required under the DNC Provisions of the PDPA.
Organisations that wish to do so should consider the following:
Is the collection, use or disclosure of the personal data required or authorised under the PDPA or other laws for that purpose? If so, the organisation does not need to seek consent. Otherwise, the organisation should consider whether the individual has previously withdrawn or indicated that he does not consent to that new purpose.
If the individual has previously withdrawn or indicated that he does not consent to that new purpose, the organisation should not contact him to seek consent for that new purpose. However, the organisation may seek fresh consent during any new transaction with the individual. For example, a service provider may seek the consent of subscribers who previously indicated they did not consent to the use of their personal data for other purposes, at the point of renewal of their service subscription.
Where the individual has not previously withdrawn or indicated that he does not consent to that purpose, the organisation may contact the individual to seek consent for the new purpose. However, if the new purpose involves marketing, the organisation must also comply with the Do Not Call (DNC) provisions when contacting the individual via voice, text or fax messages.
Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes. The term “evaluative purpose” is defined in section 2(1) of the PDPA and includes, amongst other things, the purpose of determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment.
Hence, the evaluative purpose exception allows employers to collect, use and disclose personal data without the consent of the individual concerned for various purposes that are common in the employment context, for example:
a) Obtaining a reference from a prospective employee’s former employer where necessary to determine his suitability for employment; orb) Obtaining opinions about the employee where necessary to determine his eligibility for promotion.
In practice, an organisation that has been requested to disclose information about its past employee may not be able to evaluate whether it is necessary for evaluative purposes, and may therefore wish to obtain the consent of the individual.
Organisations are required to comply with the Data Protection Provisions, including the Consent Obligation and Transfer Limitation Obligation, under the PDPA for any disclosure and overseas transfer of personal data, unless an exception applies.
Depending on the specific facts of the case, an exception to the Consent Obligation may apply such that an organisation may disclose the personal data to an overseas authority without consent from the individual. The circumstances for disclosure without consent are provided in the Fourth Schedule of the PDPA. The Transfer Limitation Obligation may also be taken to be satisfied where certain exceptions in the Fourth Schedule applies (more details are set out in Regulation 9(3)(e) of the Personal Data Protection Regulations 2014).
However, no specific exception under the PDPA routinely covers all requests from overseas authorities.
If an organisation requires further guidance from the PDPC on this matter, please write in to us at firstname.lastname@example.org.
Organisations must notify individuals of the purposes for which their personal data (including CCTV footage of them) is collected, used or disclosed and obtain their consent, unless any exception applies. For example, notification and consent is not required if the personal data is publicly available.
The PDPA does not prescribe the content of notifications. Generally, organisations should indicate that CCTVs are operating in the premises, and the purpose of the CCTVs if such purpose may not be obvious to the individual.
Please refer to the Advisory Guidelines on the PDPA for Selected Topics, Chapter 4, on Photography, Video and Audio Recordings, and PDPC’s Guide to Notification for information and examples on good practices organisations may adopt when notifying individuals about personal data policies and practices.
Organisations may collect personal data of visitors to premises where it is necessary for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the COVID-19.
In the event of a COVID-19 case, personal data can be collected, used and disclosed without consent to carry out contact tracing and other response measures, pursuant to sections 1(b) of the Second, Third and Fourth Schedules to the PDPA, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
As organisations may require NRIC/FIN/passport numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors’ NRIC, FIN or passport numbers where it is necessary for this purpose.
Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure (e.g. ensure visitor logbooks are kept secured and not visible to other visitors), and ensuring that the personal data is not used for other purposes without consent or authorisation under the law. Organisations should also expunge the data when it is no longer needed for contact tracing-related purposes.
© 2020 Government of Singapore.
Best supported by IE 9 and above, Firefox and Chrome.