Managing banking relations: What Singapore's consumer banks should know about PDPA

Copious amounts of personal data is collected by banks each day and frequently shared with third parties as technology continues to revolutionise the way we bank. Last year, the Association of Banks in Singapore released the Code of Banking Practices which outlines the responsibilities of banks under the Personal Data Protection Act (‘PDPA’) and its regulations.

The Personal Data Protection Act
The PDPA 2012 was passed in Singapore to "govern the collection, use, and disclosure of personal data by organisations" – section 3, PDPA. Since it became effective on 2 July 2014 the PDPA has recognised both the data protection rights of individuals and the responsibilities of private organisations including banks to collect, use, or disclose their personal data for legitimate business purposes.

Personal data is defined as data – whether true or not – about an individual (living or deceased) who can be identified from that data alone or from that data and other information to which the organisation has or is likely to have access. This can include electronic and non-electronic data, including email addresses and phone numbers. It is not restricted to information on customers and targets – it also applies to employee personal data held within a business.

Business contact information is excluded from the data protection requirements of the PDPA, except for the requirements of the Do Not Call (DNC) registry. This includes the individual's name, position, business telephone number, business address, and business email address. Essentially, these are not considered personal data – as long as the details were given for business purposes rather than personal.

This doesn't mean that any data you have has to be erased or approval received from every recipient: for example, if you have personal data collected prior to the effective date of the data protection rules, you can continue to use this for the reasonable purposes for which it was collected – but you cannot, for instance, use it for direct marketing if it was collected originally for a different purpose.

Everyone in Singapore is affected by the regulations: in particular, listed and private companies, partnerships, and charities must adhere. The consequences for non-compliance include financial penalties up to SGD1 million, criminal prosecution, and potentially lawsuits. Companies using cloud services should also be aware that it is they who are responsible for compliance, not the cloud service provider.

What can consumer banks do to protect themselves?
Banks must seek consent from their existing or potential customers for the collection, use, or disclosure of personal data.

Compliant consent might be explicit or implicit. An example of implicit consent might be an individual choosing to walk into a branch where surveillance cameras are obviously present to record images of customers.

When obtaining consent, banks need to ensure that there is no misleading or incomplete information. The ability to withdraw a customer's consent must also be made clear. These terms and conditions for consent to marketing information and personal data should be easily accessible to publicly available.

The purpose of data collection, for example, must be made clear to customers at or before the time of collection. Banks with mobile applications need to ensure that their app seeks users' permission to share their location information and informs them that the app uses the data to locate nearby branches and ATMs.

Under the PDPA, banks must ensure that the personal data they have is not revealed to other parties without the consent of the individual. Given the multiple systems in a bank's architecture and the various departmental transfers of data within the organisation, the verification principle must be carefully governed.

For the transfer of personal data outside of Singapore, banks first need to seek prior consent. Recipients are contractually bound and the recipient country will be subjected to similar personal data protection laws to Singapore.

Consumer banks must also ensure that the personal data they collect is accurate, up to date, and complete. The correction principle has costly ramifications for banks who are obliged to respond to identified errors or omissions and send corrected data to every other organisation to which the personal data was disclosed by the bank. The cost in time and effort to track and process such changes is relatively large for all banks in Singapore regardless of size.

Banks need to demonstrate the extent of personal data safeguards that is reasonable for the size and structure of the organisation and the type of personal data. Personal data safeguards must address unlawful loss, unauthorised access, copying, etc.

Banks can safeguard personal data via a variety of methods of varying degrees of cost and sophistication. These include physical measures (secured filing / pass cards), organisation measures (security clearance), and technical measures (passwords and encryption). The extent and scope of safeguards should also consider the sensitivity and size of the data, the technology available and the primary storage method in the data's initial format.

Personal data must only be retained by banks for the period necessary for the fulfilment of the bank’s purpose i.e. a bank should only keep the data so long as it is required for business needs. Given the risk and cost to banks for storage of personal data, it would be more effective to discard irrelevant and obsolete personal data.

Conclusion
Banks in Singapore are obliged to put in place and document policies and practices that are necessary to enable these obligatory principles under PDPA to be met. It is important that clear processes are developed to comply with the PDPA for banks to receive and respond to complaints that may arise in relation to the Act.

It will be useful for banks to adopt data protection policies containing a feedback section with contact information. These policies and practices should be communicated and made available within the bank and its customers.

Today, most banks have adopted practices to enhance data governance and protection within their organisation. While we expect that advancements in technology will continue to disrupt the way we work, the basis of data protection policies are still evolving – and must continue to do so.