To design effective data protection compliance measures, data protection officers must focus on the role their company plays in handling an individual’s personal data.

What are Organisations and Data Intermediaries?

Like data protection and privacy laws worldwide, Singapore’s Personal Data Protection Act (PDPA) distinguishes between two different types of companies: organisations (often called “controllers” under other laws) and data intermediaries (often called “processors” under other laws). Because organisations and data intermediaries play very different roles in handing an individual’s personal data, they have correspondingly different data protection obligations.

Under the PDPA, a data intermediary is defined as the entity that processes personal data “on behalf of another organisation.” Data intermediaries, accordingly, process data not on their own behalf but on behalf of other organisations, often their business customers. In that capacity, a data intermediary often will not interact directly with individuals — making it important that consumer-facing requirements are not applied directly to data intermediaries. Instead, data intermediaries are typically subject to contractual data protection obligations, such as limits on how and why they access personal data for processing activities. The relationship between an organisation and its data intermediary is highlighted below.

Example of an Organisation and its Data Intermediary

A business enters into a contract with a printing company to create invitations to an event. The business gives the printing company the names and addresses of the invitees from its contact database, which the printer uses to address the invitations and envelopes. The business then sends out the invitations.

The business is considered the organisation, since it controls the personal data processed in connection with the invitations. The business decides the purposes for which the personal data is processed (to send individually addressed invitations) and the means of the processing (mail merging the personal data using the invitees’ addresses).

The printing company is the data intermediary — handling the personal data according to the business’s instructions. The printing company cannot sell or use the data for other purposes, such as marketing. If the printing company disregards these limits and uses the data for its own purposes, it would take on the role of an organisation because it is now in control of and making decisions about how the personal data is used. In this case, the printing company would become subject to all obligations imposed on an organisation.

Obligations of Organisations and Data Intermediaries under the PDPA

Organisations are subject to all eleven obligations specified under the PDPA:

1. Accountability — to demonstrate responsibility through the proper management and protection of personal data;
2. Notification — to notify individuals of the purposes of collecting, using, and disclosing their personal data;
3. Consent — to collect, use, or disclose personal data for purposes for which consent has been given and allow individuals to withdraw consent;
4. Purpose Limitation — to collect, use, or disclose personal data for reasonable purposes and for which the individual has given consent;
5. Accuracy — to ensure that the personal data is accurate and complete;
6. Access and Correction — to provide individuals with access to their personal data and correct errors or omissions;
7. Protection — to make reasonable security arrangements to protect the personal data in the organisations’ possession, including preventing unauthorised access, collection, use, disclosure, or similar risks;
8. Retention Limitation — to keep personal data only as long as it is needed and to dispose of personal information properly when it is no longer needed for business or legal purposes;
9. Transfer Limitation — to transfer personal data overseas according to regulatory requirements, ensuring that the standard of protection is comparable to that required under the PDPA;
10. Data Breach Notification — to notify the PDPC and affected individuals as soon as practicable if there is a data breach that is likely to result in significant harm to individuals or are of significant scale; and
11. [To be advised] Data Portability — to transmit the individual’s data to another organisation in a commonly used, machine-readable format. Note that this requirement is currently under development.

On the other hand, data intermediaries are subject only to the Protection and Retention Limitation obligations, with the additional obligation to notify an organisation for which it is processing personal information of a data breach as soon as practicable under the Data Breach Notification obligation. Why? The difference in responsibilities reflects the importance of creating role-based obligations for companies that process personal data.

Role-based obligations are not unique to personal data protection; they are employed in cybersecurity and other regulations. For example, the Shared Responsibility Model in cybersecurity outlines the responsibilities of cloud service providers and their customers for securing every aspect of the cloud environment, such as hardware, infrastructure, data, configurations, network controls, and access rights. Under this model of role-based obligations, cloud service providers must monitor and respond to security threats related to the cloud and its underlying infrastructure, while customers are responsible for protecting data and other assets they store in the cloud environment.

Why Does the Organisation/Intermediary Distinction Matter?

Distinguishing between organisations and data intermediaries ensures that data protection laws impose obligations that reflect a company’s role in handling personal data. The distinction helps safeguard individuals’ personal data without inadvertently creating new privacy or security risks. Here are two practical examples:

• Responding to Access and Correction Requests: The PDPA requires organisations to respond to access and correction requests — but does not place the same obligation on data intermediaries. This is for good reason. Responding to requests to access or correct personal data requires knowing what is in that data. Organisations typically interact with individuals and decide when and why to collect their data, so they are well-positioned to make that determination. Data intermediaries, on the other hand, often lack visibility into the data they process on behalf of an organisation and may even be contractually prohibited from looking at it. Moreover, a data intermediary may not know if there is a reason to deny a request, such as when a request for access to personal data is excessive or could reveal another individual’s personal data. Requiring data intermediaries to respond directly to requests to access and correct personal data may therefore create both security risks (by requiring them to provide data to individuals they do not know) and privacy risks (by requiring them to look at data they otherwise would not).
• Data Security: In contrast to individual-facing obligations, like the requirement to honour access and correction requests, all companies should have obligations to safeguard the personal data they process. The PDPA recognises this by applying the Protection and Retention Limitation obligations to both organisations and data intermediaries. Both types of companies should employ reasonable and appropriate security measures.

Alignment with International Privacy Standards

The PDPA’s distinction between organisations and data intermediaries is in line with a longstanding distinction found in data protection and privacy laws worldwide. Leading international privacy standards — including ISO 27701 and voluntary frameworks that ensure personal data can be transferred across national borders, such as the APEC Cross Border Privacy Rules — distinguish between both types of companies. So do data protection laws worldwide, including:

• the European Union – where the General Data Protection Regulation uses the terms “controller” and “processor”;
• Malaysia – which uses the terms “data user” and “data processor”;
• the Philippines – which uses the terms “personal information controller” and “personal information processor”; and
• Thailand – which uses the terms “data controller” and “data processor”.

As one of the few mature data protection regimes in the region, Singapore is a standard bearer and plays a leading role in setting precedents for the region. The Personal Data Protection Commission (PDPC) has been actively helping organisations and data intermediaries meet their obligations under the PDPA. The PDPC has published several guidance documents to help organisations and data intermediaries. For instance, the Advisory Guidelines on Key Concepts in the Personal Data Protection Act provides clarifications on data intermediaries in Chapter 6. The PDPC has also published comprehensive guidance to help organisations manage the data intermediary lifecycle in the Guide to Managing Data Intermediaries.

How Should Companies Meet Their Obligations as Organisations and Data Intermediaries?

An important first step is determining if your company acts as an organisation or data intermediary.

In some cases, a company may act in both roles for different types of processing activities. For example, a company that acts as a data intermediary and processes data on behalf of its business customers may also act as an organisation for its own internal processing activities, such as processing its employee information. To identify and implement effective privacy compliance practices, it is important to start by understanding whether your company acts as an organisation or a data intermediary for the range of its processing activities.

What Both Organisations and Data Intermediaries Should Be Aware Of

In many cases, compliance practices for both organisations and data intermediaries may be implemented through contractual commitments. Before entering a contractual relationship, both parties should ensure that the roles and responsibilities of the organisation and data intermediary are well-established and consistent with the respective responsibilities of the organisation and data intermediary under the PDPA.

Conclusion

It is important for companies, whether large or small, to be aware of the distinction between organisations and their data intermediaries so they can ensure their compliance measures are fit for purpose.

Contributed by: Wong Wai San, Senior Manager, Policy – APAC, BSA | The Software Alliance.