MCI's response to PQ on timeline of the implementation of the Data Protection Bill

Parliament Sitting on or after 18 January 2012


Mr Yeo Guat Kwang: To ask the Minister for Information, Communications and the Arts if he will provide an update on the timelines for the introduction and implementation of the proposed data protection law and the Do-Not-Call (DNC) registry.


Development of the Data Protection Law
Last year, the Government announced that it would introduce a data protection law in Singapore to curb the excessive and unauthorised collection and use of consumers’ personal data, and that the proposed law was expected to be in place by 2012.
2    As data protection is a complex issue with wide-ranging impact, it was necessary to undertake careful study and conduct in-depth consultations with stakeholders in order to formulate a framework that best meets stakeholders’ needs while providing adequate safeguards to consumers. As part of the process, MICA launched a public consultation on 13 September 2011 to seek public views on the proposed framework, as well as initial views on whether a national Do-Not-Call (“DNC”) registry should be set up in Singapore.    
3    In view of the strong public interest and support for the proposed DNC registry, a second public consultation was launched on 31 October 2011 to seek public feedback on the implementation details of the proposed DNC registry.
4    MICA and IDA have reviewed the feedback received from the public consultations and are working with the Attorney-General’s Chambers (“AGC”) to draft the proposed Data Protection Bill, which includes the proposed DNC registry. Another round of public consultation will be conducted in the first quarter of 2012 to seek further feedback on the proposed Bill. We expect to introduce the Data Protection Bill in Parliament by the third quarter of this year.
Implementation of the Data Protection Law and DNC Registry
5    While the data protection law is expected to be enacted by this year, a sunrise period of between one to two years, during which the data protection law is enacted but will not come into force, will be provided to allow organisations sufficient time to put in place the necessary measures to comply with the law. Based on the feedback we received from the public consultation, most were in favour of a one- to two-year sunrise period.
6    As for the DNC registry, it is expected to be operational approximately one year after the data protection law is passed. This period of time is necessary for the registry operator to be appointed and to carry out system development and testing before the DNC registry goes ‘live’.