PDPA compliance for fund management companies
Transcript of PDPA compliance for fund management companies
Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around
the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in
such a law firm. Similarly, reference to an "office" means an office of any such law firm.
© 2014 Baker & McKenzie.Wong & Leow
PDPA compliance for fund
management companies
IMAS Seminar 28 May 2014
Ken Chia
Agenda
© 2014 Baker & McKenzie.Wong & Leow
Agenda
‒ New updates
‒ Compliance steps for fund management companies
3
New updates
© 2014 Baker & McKenzie.Wong & Leow 5
New updates
‒ New Personal Data Protection Regulations issued 19
May 2014
Access and Correction Requests
Transfer of personal data outside Singapore
‒ Revised Advisory Guidelines issued 16 May 2014
Access and Correction Obligation
Transfer Limitation Obligation
Consent Obligation
Exercising appropriate due diligence when obtaining
personal data from third party sources
© 2014 Baker & McKenzie.Wong & Leow 6
Access and Correction Requests
‒ s3(2) A request must be sent to the organisation ––
in accordance with section 48A of the Interpretation Act:
personal service or pre-paid post to usual or last known
address / principal or last known place of business /
registered office or principal office
to DPO
in such other manner acceptable to organisation
‒ Organisation to provide info on use/disclosure over
past year
© 2014 Baker & McKenzie.Wong & Leow 7
Access and Correction Requests
‒ s4(2) Organisation should provide complete set of
personal data
unless “impracticable in any particular case, by allowing
the applicant a reasonable opportunity to examine the
personal data and use and disclosure information”
or in such other form requested by the applicant as is
acceptable to the organisation
‒ “as accurately and completely as necessary and
reasonably possible”
© 2014 Baker & McKenzie.Wong & Leow 8
Access and Correction Requests
‒ Access to own data not whole systems
‒ Only to data currently in possession or control
‒ If data cannot be extracted in documentary form,
reasonable opportunity to examine the requested data
‒ Covers unstructured data including emails
‒ Can just point to online portals to get information
‒ Can ask applicant to be more specific, but if unwilling
make a reasonable attempt to respond to the access
request
© 2014 Baker & McKenzie.Wong & Leow 9
Access and Correction Requests
‒ can use standard list of all possible third parties to whom personal
data may have been disclosed by the organisation
‒ but should individually identify each possible third party, instead of
simply providing general categories of organisations (e.g.
‘pharmaceutical company ABC’ instead of ‘pharmaceutical
companies’)
to allow individuals to directly approach the third party
organisation
‒ purposes rather than each instance (eg for audit purposes)
© 2014 Baker & McKenzie.Wong & Leow 10
Access and Correction Requests
‒ s5 - Timeframe for access/correction requests is 30
days from request, or (if >30 days) timeframe notified
in writing by organisation
‒ s6 - Refusal to confirm or deny existence, use or
disclosure of personal data
related to any investigation or proceedings if the
investigation and associated proceedings and appeals
have not been completed
© 2014 Baker & McKenzie.Wong & Leow 11
Access and Correction Requests
‒ s7 - Organisation may charge a reasonable fee to
recover incremental costs of responding to access
request
‒ but not for s22(2) correction request
© 2014 Baker & McKenzie.Wong & Leow 12
Transfer of personal data outside Singapore
‒ s9(1) transferring organisation must, before transferring an
individual’s personal data to a country or territory outside
Singapore
(a) take appropriate steps to ensure that the transferring
organisation will comply with Parts III to VI of the Act, in
respect of the transferred personal data while it remains in the
possession or under the control of the transferring
organisation;
III - General compliance; appointment of DPO; Openess
obligations
IV - Collection, use and disclosure obligations
V - Access and correction obligations
VI - Protection obligations
© 2014 Baker & McKenzie.Wong & Leow 13
Transfer of personal data outside Singapore
‒ 9(2) Transferring organisation deemed to have satisfied conditions
for transfer if the personal data is –
(a) data in transit;
“means personal data transferred through Singapore in the course of
onward transportation to a country or territory outside Singapore,
without the personal data being accessed or used by, or disclosed to,
any organisation (other than the transferring organisation or an
employee of the transferring organisation acting in the course of the
employee’s employment with the transferring organisation) while the
personal data is in Singapore, except for the purpose of such
transportation”
(b) publicly available in Singapore
© 2014 Baker & McKenzie.Wong & Leow 14
Transfer of personal data outside Singapore
‒ s9(1) (b) take appropriate steps to ascertain whether, and to
ensure that, the recipient of the personal data in that country or
territory outside Singapore (if any) is bound by legally enforceable
obligations (in accordance with regulation 10) to provide to the
transferred personal data a standard of protection that is at least
comparable to the protection under the Act.
© 2014 Baker & McKenzie.Wong & Leow 15
Transfer of personal data outside Singapore
‒ s9(1) (b) satisfied if
individual consents to the transfer of the personal data to that
recipient in that country or territory
and before giving his consent, has been given a reasonable
summary in writing of the extent to which the personal data to
be transferred to that country or territory will be protected to a
standard comparable to the protection under the Act
© 2014 Baker & McKenzie.Wong & Leow 16
Transfer of personal data outside Singapore
‒ s9(1) (b) satisfied if
Transfer is necessary to fulfil a contract between the
organisation and the individual
The personal data is in transit or publicly available in
Singapore
© 2014 Baker & McKenzie.Wong & Leow 17
Transfer of personal data outside Singapore
‒ s9(1) (b) satisfied if
Transfer is necessary for use/disclosure where certain
exceptions to consent apply
used under paragraph 1(a) [in interests of individual], (b)
[emergency] or (d) [national interest] of the Third Schedule
to the Act or disclosed under paragraph 1(a), (b), (c)
[health & safety], (e) or (o) [next of kin] of the Fourth
Schedule to the Act
and the transferring organisation has taken reasonable
steps to ensure that the personal data so transferred will
not be used or disclosed by the recipient for any other
purpose
© 2014 Baker & McKenzie.Wong & Leow 18
Transfer of personal data outside Singapore
‒ s10(1) - legally enforceable obligations includes
(a) any law;
(b) any contract which
requires the recipient to provide a standard of protection for
the personal data transferred to the recipient that is at least
comparable to the protection under the Act; and
specifies the countries and territories to which the personal
data may be transferred under the contract.
(c) any binding corporate rules
(d) any other legally binding instrument
© 2014 Baker & McKenzie.Wong & Leow 19
Contractual clauses for protection
‒ Purpose of collection, use and disclosure by recipient
‒ Accuracy
‒ Protection*
‒ Retention limitation*
‒ Policies on personal data protection
‒ Access
‒ Correction
* data intermediary
© 2014 Baker & McKenzie.Wong & Leow 20
Binding corporate rules
‒ must require every recipient of the transferred personal
data that is related to provide a standard of protection
for the personal data transferred to the recipient that is
at least comparable to the protection under the Act;
‒ specify recipients, countries and territories, rights and
obligations provided by the binding corporate rules
‒ only for those recipients under control, controlling or
under common control
© 2014 Baker & McKenzie.Wong & Leow 21
Exercise of rights under Act in respect of
deceased individual
‒ s11
Personal representatives
Schedule 1 relatives
Compliance steps for fund
management companies
© 2014 Baker & McKenzie.Wong & Leow
Countdown
35 days to 2 July 2014 !
© 2014 Baker & McKenzie.Wong & Leow 24
Effective Compliance Culture
Risk
Identification
Risk
Assessment
Risk
Mitigation
Review
© 2014 Baker & McKenzie.Wong & Leow
Compliance steps
‒ Risk identification and assessment
PDPC personal data protection checklist
Privacy impact assessment for new projects
‒ Risk Mitigation
Appointment of DPO
Updating data protection notices (external) and policies (internal)
International data transfer agreements
Processes to handle data access and correction requests
Data breach planning
Education and training
25
AICPA/CICA Privacy Maturity Model
© 2014 Baker & McKenzie.Wong & Leow
Question Assessment Criteria
35. Do you require personal information processors,
agents, contractors, or other service providers to
whom you transfer personal information to protect
against loss, or unauthorized access, destruction,
use, modification or disclosure or other misuses of
the information by:
35.a) Implementing an information security program
that is proportionate to the sensitivity of the
information and services provided?
35.b) Notifying you promptly when they become
aware of an occurrence of breach of the privacy or
security of thepersonal information of the Applicant’s
customers?
35.c) Taking immediate steps to correct/address the
security failure which caused the privacy or security
breach?
The Accountability Agent must verify that the
Applicant has taken reasonable measures (such as
by inclusion of appropriate contractual provisions) to
require information processors, agents, contractors,
or other service providers to whom personal
information is transferred, to protect against
leakage, loss or unauthorized access, destruction,
use, modification or disclosure or other misuses of
the information. The Applicant must periodically
review and reassess its security measures to
evaluate their relevance and effectiveness.
APEC CBPR program requirements
© 2014 Baker & McKenzie.Wong & Leow
Questions ?
28
Ken Chia
Principal
Baker & McKenzie.Wong & Leow
8 Marina Boulevard
#05-01 Marina Bay Financial Centre Tower 1
Singapore 018981
Direct: +65 6434 2558
Main: +65 6338 1888
Fax: +65 6337 5100
www.bakermckenzie.com