Organizations that collect, use, and disclose personal data of individuals are required to comply with the provisions of the Personal Data Protection Act. Otherwise, they will be made to pay a hefty fine. This is why the telecommunication sector is encouraged to read the Guidelines and other advisories from the PDPC for them to be guided on the latest obligations to follow.
PDPA compliance for the Telecommunication sector
Not all data collected by the telecommunication sector constitutes as personal data. As defined in the Advisory Guidelines for the Telecommunication Sector of 2014, personal data is data, whether true or not, about an individual who can be identified: a) from that data, or b) from that data and other information to which the Organization has or is likely to have access. Thus, when an individual cannot be identified from the said data, the PDPA does not generally apply.
Thus, in the cases of mobile, telephone, and International Mobile Equipment Identity (“IMEI”) numbers, where an individual is not identifiable from the data, then these are not personal data and the PDPA obligations do not apply. However, while the data cannot pinpoint a specific person but an organization has or is likely to have access to other information that will allow the individual to be identified when taken together with that data, then the Guidelines must be strictly observed.
PDPA compliance for the Telecommunication sector: Data Protection Provisions
Under the PDPA, Organizations in the telecommunication sector must comply with the obligations set by the PDPA and enforced by the PDPC. Furthermore, they are required to obtain consent from the individual for a limited purpose that has been notified to the individual for the collection, use, and disclosure of their personal data, unless exceptions apply.
When an individual willingly contributes their personal data to an organization for a specific purpose, and it is reasonable that they would do so, the individual is presumed to agree to the collection, use, or dissemination of the data. Furthermore, when such personal data is transferred from one Organization to another for a specific purpose, the person is presumed to agree to the other Organization’s collection, use, or disclosure of the data for that purpose.
PDPA compliance for the Telecommunication sector: Application of the Do Not Call Provision
Under the Do Not Call provision of the PDPA, organizations cannot send specified messages to the individual’s telephone or mobile number registered in the Do Not Call Registry. Otherwise, such Organizations will face a hefty fine.
Under the Do Not Call Provision, these specified messages are messages with a purpose to offer to supply, advertise or promote goods or services, land or an interest in land, or a business or investment opportunity, or a supplier of such goods, services, land or opportunity.
However, there are exceptions to this rule. If the consent was given by the recipient for the unspecified message, or if such message is a specified one, the Organization is exempted from complying with its obligation under the Exemption Order.
Under the Exemption Order, if there exists an “ongoing relationship” between the sender and a recipient, the Organization is exempted from the requirement to check the relevant Do Not Call Registers.
An “ongoing relationship” under the Exemption Order means a relationship which is on an ongoing basis, between a sender and a subscriber or user of a Singapore telephone number, arising from the carrying on or conduct of a business or activity (commercial or otherwise) by the sender.
Every telecommunication service provider is required by Section 42 of the PDPA to notify the Commission of all discontinued Singapore telephone numbers. However, the license granted by the original subscriber is not revoked.
In some situations, the Commission recognizes that individuals may have clear and unambiguous authorisation from the original subscriber of a specific telephone number, which is afterwards cancelled by the original subscriber and assigned to a new person.
Similarly, a user (original user) of a telephone number may stop using that number (without causing any changes to the subscriber) and allow a new user to use the number. In some cases, the cancellation of a phone number or a change in the number’s user does not automatically or unilaterally revoke the authority granted by the original subscriber or user.
However, it should be noted that once users are aware that the subscriber or user who consented to the transmission of specified messages to that telephone number is no longer the current subscriber or user of that telephone number, they cannot rely on the authorization gained from the original subscriber or original user to send specified messages to that telephone number.
Specified messages sent by telecommunication operators
It is in the understanding that telecommunication operators typically send messages with the following characteristics:
- Account information, such as account balance, details, and reminders for late payments;
- Product or service information; and
- Marketing information.
As a general rule, messages sent by the telecommunication operators based on the following characteristics do not constitute a specified message, and the Do Not Call provision does not apply.
How Privacy Ninja can help
Privacy Ninja can help with your PDPA compliance needs with ease without you lifting a finger for a competitive price. Furthermore, value adds to your organization’s data protection policies by participating in Privacy Ninja’s exhaustive PDPA training. In sum, we got you covered with your PDPA compliance needs.
Also Read: PDPA compliance for the healthcare sector