Personal Data Protection requirements: keeping members/subscribers contact information
Before you require subscribers to provide you with their contact information, you should seek to understand what is expected of you under the Consent Obligation, the Purpose Limitation Obligation, and the Notification Obligation of the Personal Data Protection Act ('PDPA') of Singapore.
The PDPA is the legislation governing the collection, use, and disclosure of personal data by organisations.
"Personal data" is defined in the PDPA as any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access. The contact information of subscribers would fall within the definition of personal data.
In obtaining / collecting the contact information (and other personal data) of subscribers for a membership program, the PDPA requires you to do the following at the time of collection:
- Notify subscribers of the purposes for which their personal data would be collected, used, and disclosed by you as part of the membership program (e.g., for handling the subscriber's membership application, for administering the subscriber's membership account, etc.).
- Obtain consent from subscribers for the collection, use, and disclosure of their personal data. Such consent should ideally be given by the subscriber in an express manner (e.g., by checking an 'I agree to the terms and conditions' box) and you should keep records of the consent.
Please note that if you intend to obtain consent for marketing purposes, subscribers should have the option whether or not to give consent to the marketing purposes. In other words, you must not deny provision of any part of the membership program to a subscriber simply because they do not give consent for the marketing purposes. As such, most organisations would provide a separate check box for a subscriber to indicate if he or she agrees to receive marketing communications.
Thereafter, in your ongoing use of the contact details and other personal data for the membership program, the PDPA requires you to do the following:
- Only use and disclose the collected personal data for the purposes which would be considered reasonably appropriate in the circumstances and if applicable, have been notified to subscribers.
- Protect personal data which is in your possession or control through the provision of reasonable security arrangements.
- If requested by a subscriber, provide the subscriber with access to his/her personal data and information on how such personal data has been used in the last year.
- Ensure that personal data of a subscriber is accurate and complete during collection and when making a decision which will affect the subscriber.
- Correct a subscriber's personal data upon request.
- If you need to transfer the personal data outside of Singapore, you must ensure that an overseas recipient of the personal data provides a standard of protection for the transferred data which is comparable to what is required under the PDPA.
- Designate a data protection officer and make available his/her business contact information.
- Develop internal and implement policies and practices to comply with the PDPA.
- Notify the Personal Data Protection Commission and affected subscribers in the event of a data breach.