Question

'The pressure of laws and regulations that comes with the practice of PDPA.'

How can we manage this impact on banking industry?

Answer 1

CODE OF BANKING PRACTICES –

THE PERSONAL DATA PROTECTION ACT ("PDPA")

This Code of Banking Practices ( Code ) clarifies the practices for banks in Singapore in respect of the PDPA and its regulations, where applicable.

1. Purpose & Scope

a. This Code aims to provide information on how the PDPA may apply to the unique circumstances faced by the banking sector.

b. Banks in Singapore are regulated on the disclosure of customer information by the MAS through statutes, regulations, directives, and notices, and these requirements apply in conjunction with the requirements of the PDPA. Generally, if there is an inconsistency between the DP Provisions and any written law, the written law will prevail to the extent of the inconsistency.

c. In applying this Code, it should be borne in mind that Section 11(1) of the PDPA provides that "In meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances." Banks are to consider what is reasonably appropriate when considering how they should meet their responsibilities under the PDPA.

d. Please note that this Code does not amount to any advice, whether legal or otherwise, and is not legally binding on ABS or its members. It does not modify or supplement in any way the legal effect or interpretation of the PDPA and any subsidiary legislation (such as rules and regulations), and should not be construed as limiting or restricting the PDPC in its interpretation, administration and enforcement of the PDPA.

2. DNC Registry Provisions
a. The DNC Registry Provisions came into effect on 2 January 2014, enabling individuals to opt out of receiving telemarketing messages or messages of a marketing nature which fall within the meaning of specified message in the PDPA ( Specified Messages1 ) by registering their Singapore telephone numbers on one or more of the DNC Registers.
b. There are three separate DNC Registers in which you may register your number, namely the:
o No Voice Call Register;
o No Text Message Register; and
o No Fax Message Register.

Specified Messages (via text or fax) to customers with an ongoing relationship with the bank

e. Even if your Singapore telephone number is registered with the No Text Message Register or No Fax Message Register mentioned above, a bank may send certain Specified Messages by text or fax to you, if
o At the time of sending the message, the bank has an ongoing relationship with you, and the message is related to the subject of the ongoing relationship; and
o You have not withdrawn consent or otherwise opted out or indicated to the bank that you no longer wish to receive such messages.

Specified Messages to individuals who have given clear and unambiguous consent:
g. Even if your Singapore telephone number is registered with one or more of the DNC Registers listed above, you may still receive Specified Messages from your bank if you have provided consent in a clear and unambiguous manner in evidential form to receiving such marketing messages at your Singapore telephone number.

Messages of a purely administrative, servicing and non-marketing nature:

j. If your Singapore telephone number is registered with the DNC Registry, you may still be able to receive messages from your bank that are of a purely administrative, servicing, and non-marketing nature. You do not need to inform your bank separately that you wish to continue receiving such messages.

k. Examples of such messages would include messages sent solely for the following purposes and that do not have any marketing element:

o To request that you update your personal data with the bank;

o An alert or notice relating to your accounts, products and other banking services provided to you;

o To remind you to pay a bill;

o To conduct market research or market survey; or

o To obtain service feedback.

Messages solely to provide notification concerning a change in terms and features

o. Messages sent solely to provide notification concerning a change in the terms and features of a subscription, membership, account, loan or comparable ongoing commercial relationship involving your ongoing purchase or use of goods or services offered by the bank would not be considered a Specified Message. Data Protection (DP) Provisions

a. Amongst other things, these DP Provisions cover: (i) the collection, use and disclosure of your personal data by the bank; (ii) your access to and the correction of your personal data in the possession or under the control of the bank; and (iii) the bank s retention and protection of your personal data.
b. The DP Provisions came into effect on 2 July 2014, and operate in conjunction with the DNC Provisions.

Exclusions and exceptions under the DP Provisions

g. The DP Provisions do not apply to Business Contact Information ( BCI ). This includes your name, job title, office telephone number, office mailing address, and any other similar information about you, not provided by you solely for personal purposes.

Withdrawal of Consent under the DP Provisions:
j. You may withdraw your consent for the collection, use or disclosure of personal data by giving reasonable notice to the bank of the withdrawal in accordance with the bank s procedure. The Bank may take up to 30 days from the date of receipt of your notice to process and effect the withdrawal, depending on the circumstances.
k. After you have withdrawn consent, the bank, its agents and data intermediaries will cease to collect, use or disclose your personal data, as the case may be except as required or authorised by written law. The bank will inform you of the likely consequences of withdrawing consent, if any, when it receives your notice
of withdrawal of consent.
l. There may be legal consequences arising from your withdrawal of consent. For example, if you withdraw consent for the use of your personal data such that it is impossible for the bank to continue to provide services to you, may result in the termination of the bank-customer relationship in relation to such services.  However, banks are not required to delete your personal data upon receipt of your withdrawal of consent. The bank may still retain your personal data if it is needed for legal or business purposes. Personal data will not be retained for marketing purposes unless consent has been obtained. The PDPA does not prescribe a specific time period for which organisations can retain personal data.
Concurrently, banks may retain your personal data to comply with record retention requirements under various written laws.
Access and Correction:
n. You may request for access to your personal data and information about the ways the personal data may have been used or disclosed in the past year. You may also request for correction of an error or omission in your personal data.

Data Protection Policy / Privacy Notice and Care of Personal Data
a. Please refer to the relevant bank s data protection policy or privacy notice for more information on how the bank meets its obligations under the PDPA. Amongst other things, the document will include information on how long your personal data will be retained and if applicable, the situations where it would be transferred out of Singapore.
b. Personal data is disclosed by the bank to third party vendors and/or its group/regional office in accordance with the bank s notice relating to the PDPA. This personal data is transferred strictly in accordance with your consent or law.
c. Banks will not transfer personal data outside of Singapore unless the transfer complies with MAS requirements and the PDPA and its regulations.
d. Please note that banks may sign agreements with affiliates outside of Singapore, or develop corporate rules which bind foreign branches when transferring personal data offshore as necessary in order to ensure that the personal data so transferred is afforded protection comparable to the protection under Singapore law.
Data Protection Officer
a. For further information on a particular bank s data privacy policy and processes, please contact the relevant bank s data protection officer (or such other officer who may be delegated with the responsibility) whose contact details are available on each bank s website.