Need for PDPA compliance for Singapore schools
Under Section 4(1)(c) of the PDPA provides that the Data Protection Provisions shall not be applicable to any public agency. Under the said law, public agencies include the Government and specified statutory bodies, including the CPE.
With this, education institutions that do not fall within the definition of a public agency, such as government-aided schools, specialized schools, specialized independent schools, autonomous universities, SIM University, independent schools, Nanyang Academy of Fine Arts, LASALLE College of the Arts, and private education institutions, need to comply with PDPA provisions.
PDPA compliance for Singapore schools: Consent, Purpose Limitation and notification obligations
The PDPC understands why there is a need for Organizations to collect, use, and disclose students’ personal data. This is to provide the student with education services, administer bursaries, scholarships, and relevant financial assistance schemes to eligible students, or evaluate the student’s suitability for a course. Furthermore, the commission also recognizes that the data collection, usage, and disclosure differs from educational institutions to another.
With this, the PDPA compliance for Singapore schools is for them to specify and notify the purposes at an appropriate level of detail that will allow an individual to identify why the education institution is collecting, using, or disclosing personal data.
The schools are also encouraged to consider factors such as the case’s specific facts, operational and business needs, and to refer to the Key Concepts in the PDPA’s Advisory Guidelines.
Under the PDPA provisions, if organizations are required to collect, use or disclose personal data, they are required to secure valid consent from the individual for a limited purpose that has been notified to the individual for the collection, use, and disclosure of personal data. Thus, since schools are required to collect, use, and disclose the personal data of their students, then they are required to secure valid consent from their students upon its collection, usage, or disclosure of their personal data.
There is no manner of collecting such consent prescribed by PDPC. The educational institutions can decide how to collect it in the most suitable way, which must still be in accordance with the PDPA.
PDPA compliance for Singapore schools: Considerations in obtaining consent
According to the Revised Advisory Guidelines for the Education Sector of 2013, in relation to the consent obligations of educational institutions prior to the collecting, using, or disclosing personal data of students, an educational institution should consider:
a) Whether the individual (or a person who has the legal authority to act on behalf of the individual validly) had been notified of the purposes for the collection, use, or disclosure of his personal data and had given consent to such collection, use or disclosure;
b) If consent had not actually been given, whether consent can be deemed to have been given by the individual (or a person who has the legal authority to act on behalf of the individual validly) for the collection, use, or disclosure of his personal data for the purpose; and
c) Whether the collection, use, or disclosure without the consent of the individual is required or authorized under the PDPA or any other written law, and assess whether the circumstances fall within any of the exceptions from the Consent Obligation in the Second, Third or Fourth Schedules to the PDPA.
The Do Not Call Provisions and the PDPA compliance for Singapore schools
Under the Do Not Call provision of the PDPA, organizations are not allowed to send specified messages to the individual’s telephone or mobile number that are registered in the Do Not Call Registry, or else such Organizations will face a hefty fine.
Under the Do Not Call Provision, these specified messages are messages with a purpose to offer to supply, advertise or promote goods or services, land or an interest in land, or a business or investment opportunity, or a supplier of such goods, services, land or opportunity.
However, there are exceptions to this rule: if the consent was given by the recipient, if the message was not specified, or if such message is a specified one, the Organization is exempted from complying with its obligation under the Exemption Order.
Under the Exemption Order, if there exists an ongoing relationship between the sender and a recipient, the Organization is exempted from the requirement to check the relevant Do Not Call Registers.
With this, since education institutions and their students have an ongoing relationship, the do Not Call provisions do not apply. This goes the same with messages from the school, which are not specified ones.
Hiring a Data Protection Officer (DPO) and the PDPA compliance for Singapore schools
Organizations that collect, use, and disclose data are covered under the PDPA. From what we have learned from the PDPC decision and undertakings, if there is a breach, regardless if it was just a mere mistake of its employee, the Organization could be made to pay a hefty fine that ranges up to 1,000,000 SGD. To avoid this, the hiring of a DPO comes to play.
The DPO’s importance lies in ensuring that all the compliance with the PDPA is met. For every Organization covered by the PDPA, they are required to hire DPOs to ensure that no breach will happen any time in the future.
This is because the DPO is tasked to do the following responsibilities to limit any data breach:
a. Putting together a personal data protection policy that sets out the purposes for which personal data may be collected, used, or disclosed by the education institution, as well as other data protection practices to ensure compliance with the PDPA and making information about this policy available to all stakeholders;
b. Raising awareness and fostering a culture of data protection among staff and key personnel
c. Developing and implementing policies and processes for the proper handling and management of personal data protection-related queries and complaints (e.g., access and correction requests) and making information about the complaints process available on request; and
d. Alerting the education institution to any risks that might arise concerning the collection, use, or disclosure of personal data.