Foo Ee Yeong Daniel

Suggestions on the relevance of the Organization's Size to Section 11 of Singapore's Personal Data Protection Act

By Foo Ee Yeong Daniel


Singapore’s Personal Data Protection Act1 [PDPA] has been in effect since four years ago,2 and serves to balance the protection of individuals’ personal data with the ‘need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances’.3 Since then, the Personal Data Protection Commission [PDPC], with the help of public consultations,4 has continually revisited and augmented5 the PDPA’s various advisory guidelines.6

The PDPA stipulates various obligations, which organisations should fulfil based on ‘what a reasonable person would consider appropriate in the circumstances’, as per section 11(1) of the Act (the “reasonableness test”). This standard of reasonableness underpins the standard of compliance for all obligations under the PDPA,7 and the Advisory Guidelines on Key Concepts in the PDPA8 [Guidelines] clarifies that this applies to all private organisations9 as defined in section 2, regardless of their size.

This article aims to explore the relevance of an organisation’s size to the PDPA’s reasonableness test, and submits that the former should be considered as a factor in applying the latter. This may be done, for instance, by providing for it in the Guidelines.


Currently, the size of the organisation appears to be contemplated only by the Protection Obligation – when determining whether reasonable security arrangements have been made to prevent unauthorised handling of personal data under section 24 of the PDPA. This is seen from the Guidelines, which provide only general guidance for compliance10 and mention the size of the organisation only once: as a factor in risk assessment exercises determining whether information security arrangements are adequate.11 Otherwise, the PDPA legislation and jurisprudence do not feature the size of the organisation in applying the reasonableness test for any other obligation. There does not appear to be any debate on this issue; one can only guess that the drafters of the PDPA believed that fulfilling these other obligations was more important than the strain of compliance on organisations and/or that the obligations were generally undemanding for organisations that already had strong data protection practices. In any case, the PDPA prevents organisations from invoking their small size to unjustifiably exempt themselves from obligations to protect personal data.

Instead, the reasonableness of measures appears to turn on the impact on the individual whose personal data is mishandled and the compliance measures themselves. For example, the Accuracy Obligation under section 23 considers, inter alia, the nature of the personal data,12 as well as the impact on the relevant individual should the data be inaccurate.13 Another example is the Notification Obligation under section 20, which considers the ‘circumstances and manner in which [the organisation] will be collecting the personal data’,14 the ‘frequency at which the personal data will be collected’15 and ‘the channel through which the notification is provided’.16 The size of the organisation does not appear to feature in the reasonableness test for any of the obligations under the PDPA, except for in the Protection Obligation.


As a result of the above, the reasonableness test arguably fails to take into account the resource-scarce reality of many small organisations when determining whether they have discharged their obligations to a ‘reasonable’ standard under the PDPA. One example is where an organisation transfers personal data to its parent company overseas, and has to fulfil its Transfer Limitation Obligation under section 26 of the PDPA. The Guidelines suggest that the organisation reviews the corporate rules binding both organisations and assesses that they comply with these regulations, as well as that the data protection is ‘comparable to the standard under the PDPA’.17 This envisages studying rules, designing and executing appropriate transfers, as well as deciding whether corporate practices sufficiently comply with legislation – all difficult processes that require a certain amount of manpower or at least expertise that small organisations will not be as privy to as large ones. Except for in the Protection Obligation, the PDPA’s current reasonableness test essentially demands the same standard of compliance from the sole proprietor as that from the large, multinational company. This raises issues of resource inequality and disadvantage to small organisations, for which sustainability is already a challenge without the PDPA.

Considering the organisation’s size when applying the reasonableness test would better accord with the plain meaning of ‘reasonableness’. It appears unreasonable, in the barest and most layman sense of the word, to expect small organisations to comply with the PDPA as rigorously as large organisations. Then-President of the Singapore Chinese Chamber of Commerce and Industry, Mr Teo Siong Seng, emphasised during the Second Reading of the Personal Data Protection Bill that small organisations would struggle more with manpower, time-related and even consultancy costs of compliance with the PDPA.18 SMEs have since reportedly had to grapple with ‘overburdened staff’19 and five-figure costs on ‘new procedures, staff training and the upgrading of technology]’.20 In particular, the obligation to ‘develop and implement policies and practices that are necessary’ to comply with the PDPA, as per section 12(a) of the Act, is manifestly more difficult for small organisations than it is for large ones. Taking into account an organisation’s size would achieve better approximations of what a ‘reasonable person would consider appropriate in the circumstances’. This would in turn produce more practical benefits: guiding the PDPC to achieve fairer adjudicative outcomes – ensuring that small organisations are not penalised for failing to take compliance measures beyond their means.

Further, having regard for the size of the organisation would better achieve the PDPA’s purpose of mitigating compliance costs.21 Organisations should save costs when implementing essential PDPA-compliant processes, as doing so guards against actionable, personal data breaches ‘under other statutes, at common law and equity’.22 This helps organisations save costs on litigation and compensation, which would be greater than the costs incurred for compliance with the PDPA. However, as the PDPA’s reasonableness test now apparently does not accommodate the inherent differences between small and large organisations, small organisations may find themselves tending toward the safest practices or ‘best solution[s]’ adopted by large organisations, which may be too costly for them.23 Recognising that the size of the organisation should affect what is considered ‘reasonable’ compliance would give a green light to small organisations and their consultants (if they can afford any) to exercise latitude in adopting more cost-efficient practices that would still comply with the PDPA.24

Considering the organisation’s size would also better achieve the PDPA’s purpose of enhancing Singapore’s business competitiveness.25 Holding small organisations to the same standard of ‘reasonableness’ as large organisations in complying with the PDPA has deleterious effects on the former’s operations.26 This is because compliance with the PDPA requires a large amount of time, cost and effort that could otherwise be invested productively into the organisation’s operations.27 Such resource-demanding measures include studying the PDPA, appointing a Personal Data Officer,28 developing policies and practices for compliance29 that must be then communicated to staff,30 as well as training staff to receive and respond to PDPA-related inquiries and complaints.31 This has arguably even worse consequences for small social service organisations, which already struggle to make the most of their resources to perform their charitable works. Imposing the reasonableness test for compliance – without considering their sizes – risks impeding the good work of these organisations and generally inhibiting the progress of Singapore’s social service sector – a result that is normatively undesirable. A reasonableness test that accounts for the organisation’s size would encourage small organisations to consider practices that are less operationally disruptive than those that large organisations adopt but would still comply with the PDPA. Such would not only facilitate the Act’s aim of business productivity and competitiveness, but also the socially desirable aims of various social service organisations.


The dangers of considering an organisation’s size in applying the reasonableness test may be observed from the effects of Australia’s Privacy Act 198832 [APA], which makes exemptions for small businesses.33 This ‘small business exemption’ has been heavily criticised, and the Australian Law Reform Commission even recommended its repeal in 2008.34 In particular, it has been argued that organisational size is unrelated to the risk of personal data breach; such depends instead on the nature of the data, its handling and the organisation’s operations.35 There have been concerns that the APA may be abused by small organisations, which are given a statutory backdoor to misuse personal data in the name of cost-effectiveness.36

Including the organisation’s size as only a factor in the PDPA’s reasonableness test would be an appropriately moderate approach that mitigates the risk of completely exempting small, rogue organisations. In fact, as suggested, the organisation’s size could be mentioned as a factor only in the Guidelines. Since the Guidelines are ‘advisory’ and ‘do not constitute legal advice’,37 this would mitigate the risk of giving small organisations carte blanche to breach the PDPA – holding small organisations to baseline standards of compliance. The non-conclusive status of a ‘factor’, as well as the non-binding nature of the Guidelines, also collectively preserve the PDPC’s ability to find PDPA breaches regardless of the organisation’s size. The only difference would be that the PDPC should be persuaded to weigh the small size of the organisation as one of many factors in deciding whether there is a breach of the Act.


In sum, an organisation’s size should be considered as a factor in the PDPA’s reasonableness test as such better accords with the plain meaning of ‘reasonableness’, as well as better achieves the Act’s purposes of enhancing Singapore’s business competitiveness while managing compliance costs.

Having explored the legal and normative justifications of incorporating the organisation’s size as a factor in the PDPA’s reasonableness test, this article notes that defining ‘size’ has proven and can be expected to be tricky. The Australian Privacy Act’s definition of a ‘small business’ may be used as a case study. It sets out what would and would not qualify for the exemption, and has two significant features: first, it pegs ‘size’ primarily to the organisation’s annual turnover.38 Second, it adopts a binary view of what would be ‘small’ and not. Suggestions have been made to raise the Privacy Act’s turnover threshold, to account for inflation.39 There have also been suggestions to base the definition instead on specific levels of risk 40 or simply the number of employees in the organisation.41 Each of these has attracted its criticisms.

Thus, careful thought should be given as to what definition of ‘size’ would be a suitable factor in the PDPA’s ‘reasonableness’ test, considering the Act’s aim of promoting business competitiveness and data protection while moderating compliance costs. These, as well as other matters related to how the size of the organisation may or should affect its compliance obligations, should also be further considered.

[1] Personal Data Protection Act (No. 26 of 2012).

[2] According to the Personal Data Protection Commission of Singapore, “Legislation and Guidelines”, online: <>, ‘[t]he PDPA took effect in phases starting with the provisions relating to the formation of the PDPA on 2 January 2013. Provisions relating to the DNC Registry came into effect on 2 January 2014 and the main data protection rules on 2 July 2014.’

[3] Supra note 1 at s 3.

[4] A useful repository of these consultation papers may be found at the Personal Data Protection Commission of Singapore, “Public Consultations”, online: <>.

[5] Singapore Parliamentary Debates, Official Report, vol 93 (10 March 2015) (Assoc Prof Dr Yaacob Ibrahim).

[6] Supra note 1 at s 49(1) states that the ‘Commission may, from time to time, issue written advisory guidelines indicating the manner in which the Commission will interpret the provisions of this Act’.

[7] These may be broadly labelled as the Consent Obligation, Purpose Limitation Obligation, Notification Obligation, Access and Correction Obligation, Accuracy Obligation, Protection Obligation, Retention Limitation Obligation, Transfer Limitation Obligation and Openness Obligation. This article will look at only a few of these obligations, mostly for illustrative purposes.

[8] Personal Data Protection Commission of Singapore, “Advisory Guidelines on Key Concepts in the PDPA” (revised 27 July 2017).

[9] Ibid at 6.3.

[10] Personal Data Protection Commission of Singapore, “Introduction to the Guidelines” at para 3.3.

[11] Supra note 8 at 17.4(a).

[12] Ibid at 16.4(a).

[13] Ibid at 16.4(e).

[14] Ibid at 14.10(a).

[15] Ibid at 14.10(c).

[16] Ibid at 14.10(d).

[17] Ibid at 19.4.

[18] Parliamentary Debates Singapore: Official Report, vol 89 (15 October 2012) (Nominated Member, Mr Teo Siong Seng). Mr Teo spoke as then-President of the Singapore Chinese Chamber of Commerce and Industry, ‘representing 4,000 corporate members and 145 trade associations from a great diversity of trades, industries and service providers’.

[19] The Straits Times, “Privacy Act sows confusion”, online: <>.

[20] The Straits Times, “Early childhood educator simplifies personal data protection requirements”, online: <>.

[21] Singapore Parliamentary Debates, Official Report, vol 89 (15 October 2012) (Minister for Communications and Information, Associate Professor Dr Yaacob Ibrahim).

[22] Hannah YeeFen Lim, Data Protection in the Practical Context: Strategies and Techniques (Singapore: Academy Publishing, 2017) at 1.2.

[23] Supra note 19.

[24] It is interesting to note that organisations are already advised to consider their size in deciding appropriate audit processes, as per Alat Sheela, Role Of Audit In Your Organisation’s Personal Data Protection Act 2012 Compliance Programme, Personal Data Protection Digest (Singapore: Academy Publishing, 2017) at 10. It is submitted that this should be the case for all forms of compliance practices.

[25] Supra note 22.

[26] This was recently alluded to in Parliamentary Debates Singapore: Official Report, vol 94 (6 March 2017) (Member of Parliament, Mr Saktiandi Supaat): the need to protect personal data has made it ‘more difficult’ for businesses to ‘use data innovatively and optimize business opportunities’.

[27] Supra note 19.

[28] This is an extension of the PDPA’s obligations; supra note 1 at s 11(3).

[29] Ibid at s 12(a).

[30] Ibid at s 12(c).

[31] Ibid at s 12(b).

[32] Privacy Act 1988 (Cth).

[33] Ibid at s 6C.

[34] See Recommendation 39-1 in Australian Law Reform Commission, “Australian Privacy Law and Practice Report 108” at p 53.

[35] Ibid at 39.26.

[36] A more detailed analysis of the Privacy Act 1988’s ‘small business exemption’ may be found in Supra note 35.

[37] Supra note 10 at 3.1.

[38] Supra note 32 at s 6D.

[39] Supra note 34 at 39.124.

[40] As determined by the type of data and number of individuals about whom data is held; Ibid at 39.126.

[41] Ibid at 39.129.

The PDF version of this article is available for download here.

The Case For Removal Of HIV-Related Immigration Restrictions In Singapore

by Foo Ee Yeong Daniel


In 1998, persons suffering from Acquired Immune Deficiency Syndrome (AIDS) or infected with Human Immunodeficiency Virus (HIV) were explicitly listed as “prohibited immigrant[s]” under s 8(3)(ba) of Singapore’s Immigration Act1 to protect Singapore’s public health in the wake of a global HIV epidemic.2 This manifested in a ban on HIV-positive foreigners from entering the country. While the ban on foreigners on short-term visit passes was quietly lifted in 2015, persons with HIV or AIDS are still prohibited from long-term visits to Singapore – the official reason being that “the public health risk posed by long-stayers is not insignificant”.3 This article aims to study the reasons for s 8(3)(ba) and the existing HIV-related immigration restrictions, and submits that they should be repealed and removed respectively.


A. The restrictions are an outdated model intended for an unpredictable epidemic

It is submitted that the restrictions on HIV-positive immigrants no longer serve their original purpose as a response to an unpredictable epidemic on a global scale. The context in which HIV-positive foreigners were listed as “prohibited immigrants” in 1998 concerned a dramatic increase in the number of HIV infected residents: Singapore had almost 200 reported cases, and more alarmingly, 42 new cases of HIV and AIDS were reported in 1991, vis-à-vis the 61 cases between 1985 and 1990. Against this backdrop of domestic increase in HIV infections was our large number of HIV-positive foreigners: 2,813 foreigners had been tested to be HIV-positive while in Singapore, 80% of whom were work permit holders and applicants.4 The “policy on the repatriation and permanent blacklisting of HIV-positive foreigners”5 was Singapore’s consequent response to that global crisis, as we were perceived to be “particularly vulnerable… [given] people coming into Singapore in far greater numbers, and Singaporeans [travelling] abroad even more frequently”.6

It is submitted that this policy is outmoded. Today, the rate of new HIV cases has generally been constant at about 450 new reported cases each year since 2008.7 The rate of HIV infection is generally maintained unlike in the past; treatment and control measures have made the disease much more predictable, and the heavy response we opted for decades ago is arguably inappropriate given the relatively moderate scale at which HIV spreads today.

Furthermore, immigration restrictions have become a disproportionate response to the severity of HIV, which today has reduced dramatically. The policy against HIV-positive foreigners was recommended when HIV was “new, fatal and no effective treatment was available”;8 HIV was considered a “death sentence”.9 This is no longer the case today as “more than 5,000 Singapore residents [live] with HIV” and there is “effective treatment for the disease”. In fact, HIV-positive persons on antiretroviral therapy may be “successfully virally suppressed” and “not infectious to other people”. In this vein, it is submitted that any prohibition on HIV-positive immigrants despite their non-infectiousness is disproportionate to the alleged “public health risk” they pose.

B. The restrictions are ineffective in reducing the spread of HIV

Increasingly, it is clear that Singapore’s policy against HIV-positive immigrants does not reduce the type of public health risk it purports to.11 Since 97% of HIV contraction in Singapore is through sexual intercourse,12 the main persons at risk are sexual partners of infected persons, who only transmit HIV via certain kinds of sexual behaviour; no health risk is posed to the general public through casual contact. Persons infected with HIV are thus significantly different from persons infected by other contagious diseases that make their very “presence in Singapore dangerous to the community”,13 and should not warrant the same immigration restrictions they do. Most importantly, punitive measures such as immigration restrictions have been proven to be relatively ineffective in preventing transmission, and in fact “may limit the uptake of HIV voluntary testing and hinder adherence to HIV treatment”.14 In this vein, it is submitted that an HIV-positive person should not be banned from long-term stay in Singapore while a person suffering from a different type of sexually transmitted disease is not, since these are all ‘controlled’ diseases that are not effectively reducible by immigration restrictions.

Furthermore, concerns that foreigners (aware or unaware of their HIV status) may (intentionally or unintentionally) spread the disease would generally be well controlled under Singapore’s strict domestic laws against HIV infection.15 In particular, an immigrant who knows he has HIV,16 or for whatever reason does not know he has HIV but has reason to believe that he has or has been exposed to a significant risk of infection, must disclose this risk to his sexual partner before engaging in sexual activity, or be liable to criminal charges as per s 23(2) of the Infectious Diseases Act.17

In any case, the risk of HIV spreading is greatly ameliorated by the availability of anonymous HIV testing, increasing public education about HIV in schools and workplaces,18 guidelines to manage HIV at the workplace, and advancements in public health practices19 – all of which would be readily available to both the HIV-negative populace and HIV-positive immigrants to mutually prevent infection.

In this vein, it is further submitted that the distinction between the public health risk posed by short-term visitors and long-term visitors is arbitrary; the duration of one’s stay is much less a variable of a person’s infectiousness, compared to more important factors such as one’s knowledge, disclosure and treatment of the disease – all of which are generally well regulated in Singapore.

While it is acknowledged that HIV infection rates are still higher than before Singapore implemented its current HIV-related immigration restrictions in 1998, it is submitted that lifting our immigration restrictions would have negligible effect on the current domestic spread of HIV. Firstly, overall HIV infection rates among adults are stabilising worldwide;20 Singapore’s HIV infection rates are not out of the ordinary, and removing HIV-related immigration restrictions would not reasonably lead to an exceptionally large number of HIV-positive foreigners entering Singapore. Secondly, the spread of HIV carried by immigrants may be circumscribed, for instance, by continuing to require mandatory testing for long-term visitors21 and/or subjecting them to the same laws relating to HIV infection as those applying to all Singaporeans.

C. Repealing s 8(3)(ba) would reduce stigma and better satisfy public conscience

It is submitted that removing HIV-related immigration restrictions would better achieve Parliament’s underlying objective to promote inclusiveness and reduce stigma today. When Parliament crafted HIV-related laws, they were concerned with treating patients “humanely and with great compassion” as they and their loved ones undergo “great suffering and social stigma”.22 However, this had to be balanced with “protecting innocent people” from contracting HIV,23 which led to prohibitions on HIV-foreigners from entering the country while HIV-positive Singaporeans remained to seek treatment at home. Noticeably, this by implication seems to unfairly characterise HIV-positive immigrants as a group distinct from “innocent people” in society, even though HIV-positive persons are in many cases victims of circumstance. Given our many health and social support systems, as well as the treatability of HIV that may even render an infected patient ‘risk-free’, the protection of both HIV-positive and negative persons today is not a zero-sum game. It is thus submitted that Parliament’s previous concern about balancing the interests of HIV-positive and negative persons today should be adjusted such that HIV-related immigration restrictions are removed.

Further, Parliament should repeal s 8(3)(ba) as a matter of public conscience. Since the late 20th Century, HIV-positive persons have ranged from married wives infected by their husbands, to children infected perinatally, to blood donees via transfusion, to health care workers via clinical procedures.24 97% of HIV contraction in Singapore is through sexual intercourse, and this is not limited to individuals engaging in high-risk sexual behaviour – often victims have sexual partners’ whose HIV status was either undisclosed or unknown. It therefore seems unjust that the HIV-positive foreigner is labelled a “prohibited immigrant” alongside charges on the public,26 outlaws,27 prostitutes,28 procurers,29 vagrants,30 and persons seeking to overthrow the government by violence31 as our laws should seek treat them with compassion accordingly.

To this end, it is submitted that HIV-positive persons should be allowed to enter Singapore as ‘lawful’ immigrants and stay long-term should they choose to, without being ‘exceptionalised’ and ‘othered’ as a group whose mere presence is a danger to public health – a widespread perception that is taught as untrue, and would be better proven with the removal of s 8(3)(ba). Such a legal reform would enhance the inclusiveness of our whole community, which includes both HIV-positive and negative persons.


Removing HIV-related immigration restrictions would not be an unprecedented policy, and Singapore has the benefit of gleaning from the experience of many other countries that have done this. From 2000 to mid-2013, there was a more than 50% reduction in the number of territories with HIV-related travel restrictions – from 96 to 43.32 In particular, the United States had a similar experience to Singapore’s: first applying a blanket ban on HIV-positive foreigners given its large influx of immigrants and the explosion of the AIDS epidemic in the 1980s, before removing the restrictions on short-term travellers in 2006, and eventually removing the ban entirely in 2010 – a process catalysed by vocal opposition from the international community.33 Changing a law typically takes time and effort, and the process requires the community to voice its concerns and what it thinks is right. This article hopes to aid in this respect, as part of former and ongoing efforts by other members of the community to do the same.

[1] Immigration Act (Cap 133, 2008 Rev Ed),

[2] Parliamentary Debates Singapore: Official Report, vol 69, col 939 (4 September 1998) (The Minister for Home Affairs (Mr Wong Kan Seng)),

[3] The Straits Times, “Ban on entry into Singapore eased for foreigners with HIV”, online: <>.

[4] Parliamentary Debates Singapore: Official Report, vol 70, col 24 (26 February 1999) (The Senior Minister of State for Health (Dr Aline K. Wong)).

[5] Supra note 3.

[6] Parliamentary Debates Singapore: Official Report, vol 70, col 31 (26 February 1999) (Mr Bernard Chen (West Coast)).

[7] The Straits Times, “455 new cases of HIV reported in Singapore in 2015, most patients got virus through sex”, online: <>.

[8] Supra note 3.

[9] Parliamentary Debates Singapore: Official Report, vol 70, col 31 (26 February 1999) (Mr Bernard Chen (West Coast)).

[10] The Straits Times, “Ban on entry into Singapore eased for foreigners with HIV”, online: <>.

[11] Parliamentary Debates Singapore: Official Report, vol 69, col 937 (4 September 1998) (The Minister for Home Affairs (Mr Wong Kan Seng)).

[12] Supra note 7.

[13] s 8(3)(b), Immigration Act (Cap 133, 2008 Rev Ed).

[14] UNAIDS Report 2013, page 92.

[15] ss 22 to 25A of the Infectious Diseases Act (Cap 137, 2003 Rev Ed).

[16] Ibid at s 23(1).

[17] Ibid at ss 23(2).

[18] Parliamentary Debates Singapore: Official Report, vol 86, col 1969 (11 January 2010) (Mr Khaw Boon Wan).

[19] This is similar to the considerations made by the United States in deciding that HIV infection is no longer a “significant public health risk”, as per the Department of Health and Human Services, “Medical Examination of Aliens – Removal of Human Immunodeficiency Virus (HIV) Infection From Definition of Communicable Disease of Public Health Significance”, online: <>.

[20] AVERT, “Global HIV and AIDS Statistics”, online: <>.

[21] Immigration & Checkpoints Authority, “Medical Examination for Successful Applicants of Employment Pass, Long-Term Immigration Pass and Permanent Residence”, online: <>.

[22] Parliamentary Debates Singapore: Official Report, vol 70, col 29 (26 February 1999) (The Senior Minister of State for Health (Dr Aline K. Wong)).

[23] Parliamentary Debates Singapore: Official Report, vol 70, col 34 (26 February 1999) (Dr Lily Neo (Kreta Ayer-Tanglin)).

[24] Parliamentary Debates Singapore: Official Report, vol 70, col 25 (26 February 1999) (The Senior Minister of State for Health (Dr Aline K. Wong)).

[25] The Straits Times, “455 new cases of HIV reported in Singapore in 2015, most patients got virus through sex”, online: <>.

[26]Immigration Act (Cap 133, 2008 Rev Ed), s 8(3)(a).

[27]Ibid at s 8(3)(d).

[28] Ibid at s 8(3)(e).

[29] Ibid at s 8(3)(f).

[30] Ibid at s 8(3)(g).

[31] Ibid at s 8(3)(i).

[32] Global Report UNAIDS report on the global AIDS epidemic 2013, page 92, online: <>.

[33] National Institutes of Health, United States National Library of Medicine, “The Impact of Removing the Immigration Ban on HIV-Infected Persons”, online: <>.

The PDF version of this entry can be found here.