pdpa compliance for fund management companies

Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around

the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in

such a law firm. Similarly, reference to an "office" means an office of any such law firm.

© 2014 Baker & McKenzie.Wong & Leow

PDPA compliance for fund

management companies

IMAS Seminar 28 May 2014

Ken Chia

http://www.imas.org.sg/index.php/homepage

http://www.imas.org.sg/index.php/homepage

Agenda


Agenda

‒ New updates

‒ Compliance steps for fund management companies

3

New updates

© 2014 Baker & McKenzie.Wong & Leow 5

New updates

‒ New Personal Data Protection Regulations issued 19

May 2014

Access and Correction Requests

Transfer of personal data outside Singapore

‒ Revised Advisory Guidelines issued 16 May 2014

Access and Correction Obligation

Transfer Limitation Obligation

Consent Obligation

Exercising appropriate due diligence when obtaining

personal data from third party sources



‒ s3(2) A request must be sent to the organisation ––

in accordance with section 48A of the Interpretation Act:

personal service or pre-paid post to usual or last known

address / principal or last known place of business /

registered office or principal office

to DPO

in such other manner acceptable to organisation

‒ Organisation to provide info on use/disclosure over

past year



‒ s4(2) Organisation should provide complete set of

personal data

unless “impracticable in any particular case, by allowing

the applicant a reasonable opportunity to examine the

personal data and use and disclosure information”

or in such other form requested by the applicant as is

acceptable to the organisation

‒ “as accurately and completely as necessary and

reasonably possible”



‒ Access to own data not whole systems

‒ Only to data currently in possession or control

‒ If data cannot be extracted in documentary form,

reasonable opportunity to examine the requested data

‒ Covers unstructured data including emails

‒ Can just point to online portals to get information

‒ Can ask applicant to be more specific, but if unwilling

make a reasonable attempt to respond to the access

request



‒ can use standard list of all possible third parties to whom personal

data may have been disclosed by the organisation

‒ but should individually identify each possible third party, instead of

simply providing general categories of organisations (e.g.

‘pharmaceutical company ABC’ instead of ‘pharmaceutical

companies’)

to allow individuals to directly approach the third party

organisation

‒ purposes rather than each instance (eg for audit purposes)



‒ s5 - Timeframe for access/correction requests is 30

days from request, or (if >30 days) timeframe notified

in writing by organisation

‒ s6 - Refusal to confirm or deny existence, use or

disclosure of personal data

related to any investigation or proceedings if the

investigation and associated proceedings and appeals

have not been completed



‒ s7 - Organisation may charge a reasonable fee to

recover incremental costs of responding to access

request

‒ but not for s22(2) correction request



‒ s9(1) transferring organisation must, before transferring an

individual’s personal data to a country or territory outside

Singapore

(a) take appropriate steps to ensure that the transferring

organisation will comply with Parts III to VI of the Act, in

respect of the transferred personal data while it remains in the

possession or under the control of the transferring

organisation;

III - General compliance; appointment of DPO; Openess

obligations

IV - Collection, use and disclosure obligations

V - Access and correction obligations

VI - Protection obligations



‒ 9(2) Transferring organisation deemed to have satisfied conditions

for transfer if the personal data is –

(a) data in transit;

“means personal data transferred through Singapore in the course of

onward transportation to a country or territory outside Singapore,

without the personal data being accessed or used by, or disclosed to,

any organisation (other than the transferring organisation or an

employee of the transferring organisation acting in the course of the

employee’s employment with the transferring organisation) while the

personal data is in Singapore, except for the purpose of such

transportation”

(b) publicly available in Singapore



‒ s9(1) (b) take appropriate steps to ascertain whether, and to

ensure that, the recipient of the personal data in that country or

territory outside Singapore (if any) is bound by legally enforceable

obligations (in accordance with regulation 10) to provide to the

transferred personal data a standard of protection that is at least

comparable to the protection under the Act.



‒ s9(1) (b) satisfied if

individual consents to the transfer of the personal data to that

recipient in that country or territory

and before giving his consent, has been given a reasonable

summary in writing of the extent to which the personal data to

be transferred to that country or territory will be protected to a

standard comparable to the protection under the Act




Transfer is necessary to fulfil a contract between the

organisation and the individual

The personal data is in transit or publicly available in

Singapore




Transfer is necessary for use/disclosure where certain

exceptions to consent apply

used under paragraph 1(a) [in interests of individual], (b)

[emergency] or (d) [national interest] of the Third Schedule

to the Act or disclosed under paragraph 1(a), (b), (c)

[health & safety], (e) or (o) [next of kin] of the Fourth

Schedule to the Act

and the transferring organisation has taken reasonable

steps to ensure that the personal data so transferred will

not be used or disclosed by the recipient for any other

purpose



‒ s10(1) - legally enforceable obligations includes

(a) any law;

(b) any contract which

requires the recipient to provide a standard of protection for

the personal data transferred to the recipient that is at least

comparable to the protection under the Act; and

specifies the countries and territories to which the personal

data may be transferred under the contract.

(c) any binding corporate rules

(d) any other legally binding instrument


Contractual clauses for protection

‒ Purpose of collection, use and disclosure by recipient

‒ Accuracy

‒ Protection*

‒ Retention limitation*

‒ Policies on personal data protection

‒ Access

‒ Correction

* data intermediary


Binding corporate rules

‒ must require every recipient of the transferred personal

data that is related to provide a standard of protection

for the personal data transferred to the recipient that is

at least comparable to the protection under the Act;

‒ specify recipients, countries and territories, rights and

obligations provided by the binding corporate rules

‒ only for those recipients under control, controlling or

under common control


Exercise of rights under Act in respect of

deceased individual

‒ s11

Personal representatives

Schedule 1 relatives

Compliance steps for fund

management companies


Countdown

35 days to 2 July 2014 !


Effective Compliance Culture

Risk

Identification

Risk

Assessment

Risk

Mitigation

Review


Compliance steps

‒ Risk identification and assessment

PDPC personal data protection checklist

Privacy impact assessment for new projects

‒ Risk Mitigation

Appointment of DPO

Updating data protection notices (external) and policies (internal)

International data transfer agreements

Processes to handle data access and correction requests

Data breach planning

Education and training

25

AICPA/CICA Privacy Maturity Model


Question Assessment Criteria

35. Do you require personal information processors,

agents, contractors, or other service providers to

whom you transfer personal information to protect

against loss, or unauthorized access, destruction,

use, modification or disclosure or other misuses of

the information by:

35.a) Implementing an information security program

that is proportionate to the sensitivity of the

information and services provided?

35.b) Notifying you promptly when they become

aware of an occurrence of breach of the privacy or

security of thepersonal information of the Applicant’s

customers?

35.c) Taking immediate steps to correct/address the

security failure which caused the privacy or security

breach?

The Accountability Agent must verify that the

Applicant has taken reasonable measures (such as

by inclusion of appropriate contractual provisions) to

require information processors, agents, contractors,

or other service providers to whom personal

information is transferred, to protect against

leakage, loss or unauthorized access, destruction,

use, modification or disclosure or other misuses of

the information. The Applicant must periodically

review and reassess its security measures to

evaluate their relevance and effectiveness.

APEC CBPR program requirements


Questions ?

28

Ken Chia

Principal

Baker & McKenzie.Wong & Leow

8 Marina Boulevard

#05-01 Marina Bay Financial Centre Tower 1

Singapore 018981

Direct: +65 6434 2558

Main: +65 6338 1888

Fax: +65 6337 5100

[email protected]

www.bakermckenzie.com

mailto:[email protected]

www.bakermckenzie.com/singapore

pdpa compliance for fund management companies

Documents