The Life Insurance Association of Singapore has published a Code of Practice that sets out best practices of life insurers in Singapore to comply with the Personal Data Protection Act 2012 (PDPA).  This article prepared specifically for life insurers, seeks to assist life insurers to navigate Singapore’s personal data protection regulations by providing a clear summary organised according to the nine personal data protection obligations underlying the PDPA.

1. Consent Obligation

      a. Obtaining consent

You must:

• only collect, use or disclose your customers’ personal data after obtaining their consent (unless collection, use or disclosure without consent is permitted under the PDPA or any other written law); and
• not require, as a condition for the provision of a product or service, your customers’ consent beyond what is reasonable for the product or service.

      b. Withdrawal of consent

You must:

• upon receipt of a customer’s notice of withdrawal of consent, inform him or her of the likely consequences of withdrawing consent; and
• after withdrawal of consent:
• cease, and cause your agents and data intermediaries to cease, all collection, use or disclosure of the customer’s personal data; and
• only retain the customer’s personal data if it is necessary for your legal or business purposes.

2. Purpose Limitation Obligation

You may only collect, use or disclose personal data of your customers for purposes which a reasonable person would consider appropriate in the circumstances.  For example, where data comprise different constituent sections or sets, you may only disclose appropriate sections or sets to a third party where permitted.

3. Notification Obligation

You must notify your customers of the purposes for which you are collecting, using or disclosing their personal data before you collect, use or disclose it.

4. Access and Correction Obligation

      a. Access

Your customers have the right to request for access to their personal data that you keep or control and for information about the ways in which you may have used or disclosed their personal data within a year before the date of the request.

       i. Charging a reasonable service fee.  You may charge a reasonable service fee for processing an access request.  However, before processing the request, you           must:

• provide your customer with the fee amount or an estimate; and
• verify the identity of the requesting party.

       ii. Deadline for furnishing the requested information.  If your customer has properly prepared and submitted an access request, you must:

• furnish the personal data as soon as reasonably possible after the date of receipt of the access request; or
• if you are unable to do so within 30 calendar days after the date of receipt of the request, inform your customer within that time as to the date you will respond to the request.‍

      iii. Situations where access need not be granted.  You do not have to grant access to your customers in certain situations, such as where the provision of that personal data or other information could reasonably be expected to:

• reveal personal data about another individual; or
• reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity.

       b. Correction

Your customers have the right to request for correction of their personal data that you keep or control.

        i. Deadline for making the requested correction.  If your customer has properly prepared and submitted a correction request, you must:

• make the requested correction as soon as practicable after the date of receipt of the correction request; or
• if you will be unable to do so within 30 calendar days after the date of receipt of the request, inform your customer within 14 calendar days after receipt of the request as to the soonest practicable time you will make the correction.

        ii. Sharing of corrected personal data.  You must send the corrected personal data within 30 calendar days to every organisation to which you had disclosed the            personal data in the previous 12 months if the corrected personal data is necessary for their legal or business purposes.

      iii. Situations where correction need not be made.  You do not need to make a correction if:

• you are satisfied on reasonable grounds that a correction does not have to be made.  You must still annotate the personal data with the correction that was requested but not made; or
• the correction request is made in respect of an opinion (including a professional or expert opinion).

5. Accuracy Obligation

You:

• must make a reasonable effort to accurately record the personal data provided by your customers or parties validly acting on your customers’ behalf.  Making a reasonable effort includes:
• taking reasonable steps to review the completeness of any submitted forms or other written documentation; and
• verifying your customers’ identities against their identification documents.
• should, when in doubt, ask your customers to make a verbal or written declaration that the personal data provided is accurate and complete.
• should, if necessary, request your customers to provide their personal data again to ensure that your records are current and make reasonable efforts to accurately record the updated personal data provided by your customers or parties validly acting on your customers’ behalf.

6. Protection Obligation

You must:

• make reasonable security arrangements to protect your customers’ data from unauthorised access, collection, use, disclosure, copying, modification, disposal and other similar risks;
• establish reasonable practices, which may include internal policies, processes and procedures to restrict access to systems and personal data on a need-to-know-basis; and
• comply with any regulations and guidelines issued by any other relevant regulatory body, such as the Monetary Authority of Singapore.

7. Retention Limitation Obligation

You must cease to retain, or anonymise, personal data as soon as it is reasonable to assume that the data no longer serves the purpose for which it was collected and is not necessary for your legal or business purposes.

The following table illustrates the minimum retention period for personal data collected for particular purposes:

‍

You may retain the personal data beyond the minimum retention period specified above if it is necessary for your legal or business purposes.

When the time comes to dispose of personal data, you must dispose of it properly.  For example, physical data might be securely shredded or incinerated and real attempts should be made to ensure that all original, backup, and archive copies of electronic data are completely destroyed or deleted.

8. Transfer Limitation Obligation

You must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA (the details of which are beyond the scope of this article).

9. Openness Obligation

You must:

• make information about your data protection policies, practices and complaints process available to your customers upon request; and
• designate one or more individuals (“data protection officers”) to be more responsible for ensuring your compliance with the PDPA.  The business contact information of at least one of those officers must be made available to the public.  

If you employ data intermediaries, check that there are contractual safeguards in place which ensure those intermediaries also comply with applicable provisions under the PDPA.  Consider anonymizing personal data, to the extent feasible.

Finally, please be aware that further changes to the personal data protection regime in Singapore may be made in the near future.  Those changes may include the introduction of a mandatory requirement to notify affected parties and the Personal Data Protection Commission in the event of a data breach.  Life insurers and their data protection officers would be well advised to begin considering establishing processes to enable them to comply with any such requirement in the future.

‍