In line with the February 2021 amendments to the Personal Data Protection Act 2012 (PDPA), the Singapore Personal Data Protection Commission (PDPC) has updated the Advisory Guidelines on Key Concepts in the PDPA (Guidelines).  Under the amended PDPA, organisations may disclose personal data without express consent through the expanded forms of deemed consent and exceptions to consent.  An overview of the PDPA amendments may be found here.

Deemed Consent by Contractual Necessity

Deemed consent by contractual necessity expressly allows a downstream organisation (for example, a service provider (Y) to a business (X) that contracted with an individual) to disclose an individual’s personal data to another downstream organisation (for example, Y’s sub-contractor (Z).

The Guidelines clarify that this category of deemed consent allows further use or disclosure of personal data by downstream organisations.  In the example above, Y, Z and other downstream organisations may rely on deemed consent by contractual necessity where the use or disclosure is reasonably necessary to conclude or perform the contract between the individual and X.  

Deemed Consent by Notification

Deemed consent by notification expressly allows organisations to use previously collected data for a purpose different from their original purpose for collection (further processing), provided that the individuals concerned are notified of the different purpose of the further processing and do not opt-out after a reasonable period.

The use of deemed consent by notification is subject to the organisation meeting the following conditions:

• conducting an assessment to eliminate or mitigate adverse effects of the further processing;
• taking reasonable steps to ensure adequate and effective notification to individuals regarding the further processing and its purposes and the period for opting-out of the further processing; and
• providing a reasonable opt-out period.

Assessment Requirement

The updated Guidelines provide a new checklist to assist organisations in their assessments before relying on deemed consent by notification.  Under the checklist, assessments should minimally include considerations on the type of personal data involved, the context or purpose of the further processing, the appropriateness of notification, the reasonableness of the opt-out approach and period, the likelihood of adverse effects on individuals and the outcome of the organisation’s final decision.

Notification Requirement

Notifications to individuals should include:

• the organisation’s intention and purpose for the further processing; and
• a reasonable period and manner for the individual to opt-out of the further processing.

The PDPC does not prescribe any notification method in which organisations should adopt.  However, organisations should determine the appropriate method(s) of communication by taking the following factors into consideration:

• the usual mode of communication between the individual and the organisation;
• the number of individuals to be notified and the effectiveness of direct or mass communication channels; and
• whether direct communication channels are available (e.g., mail, email, phone calls, SMS, interactive portals or applications).

Opt-Out Period Requirement

The PDPC does not prescribe a specific opt-out period that organisations should adopt.  Organisations should assess and determine the reasonable period by taking into consideration the nature and frequency of interaction with the individual and the communications channels used.  For example, where individuals use an organisation’s mobile application to track information on their monthly medical examination, an opt-out period of less than one month may be unreasonable.  However, organisations may justify a shorter opt-out period if the method of communication is easily accessible, easy to use or has a track record of effectiveness in reaching the intended recipient(e.g., opt-out by email or hyperlink).  A copy of the assessment must be retained by the organisation and provided to the PDPC upon request. Once the opt-out period has lapsed, the organisation may rely on deemed consent by notification. However, an individual’s withdrawal of consent will still be effective even if provided after the opt-out period.

Legitimate Interests Exception

Organisations may rely on the specific or general legitimate interests exception to collect, use or disclose personal data without consent.  

Under the specific legitimate interests exception, organisations may rely on certain specific purposes listed under the First Schedule of the PDPA to collect, use or disclose personal data without consent.  Alternatively, the general legitimate interests exception may also be relied on for other purposes if an assessment is made to meet the following requirements:

• identify and articulate the situation that qualifies as legitimate interests (e.g., identify the actual and non-speculative benefits and identify the beneficiaries);
• identify any likely adverse effect of the intended collection, use and/or disclosure of personal data on the individual;
• identify and implement reasonable measures to eliminate, reduce or mitigate any such adverse effects;
• assess whether the legitimate interests of the organisation, other individuals or other organisations outweigh any residual adverse effect on the individual; and
• disclose the organisation’s reliance on the exception.

The Guidelines set out a checklist for organisations to use in their assessment of legitimate interests.  

Business Improvement Exception

Generally, the business improvement exception allows organisations to collect, use and/or disclose personal data without consent for the purposes of improving, enhancing or developing goods or services or new methods or processes for business operations (Improvement Purposes).

To rely on the business improvement exception to use personal data without consent, organisations are required to ensure that the Improvement Purposes cannot be reasonably realised using anonymised data and a reasonable person would consider the organisation’s use of personal data  appropriate in the circumstances. Apart from the Improvement Purposes, organisations may use personal data without consent for:

• the learning or understanding of individuals’ behaviour and preferences; or
• the identification, personalisation or customisation of suitable goods or services for individuals.

An organisations may also disclose personal data without consent to other entities in its group of companies for the following purposes:

• the Improvement Purposes;
• the learning or understanding of existing or prospective customers’ behaviour and preferences; or
• the identification, personalisation or customisation of suitable goods or services for existing or prospective customers.

Restrictions on Use for Marketing Purposes

Organisations cannot rely on deemed consent by notification, the legitimate interests exception or the business improvement  exception to send direct marketing messages and must comply with the Do-Not-Call provisions under the PDPA.

For More Information 

OrionW regularly advises clients on data protection matters.  For more information about the Guidelines or the PDPA, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.