I. INTRODUCTION

Singapore’s Personal Data Protection Act¹ [PDPA] has been in effect since four years ago,² and serves to balance the protection of individuals’ personal data with the ‘need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances’.³ Since then, the Personal Data Protection Commission [PDPC], with the help of public consultations,⁴ has continually revisited and augmented⁵ the PDPA’s various advisory guidelines.⁶

The PDPA stipulates various obligations, which organisations should fulfil based on ‘what a reasonable person would consider appropriate in the circumstances’, as per section 11(1) of the Act (the “reasonableness test”). This standard of reasonableness underpins the standard of compliance for all obligations under the PDPA,⁷ and the Advisory Guidelines on Key Concepts in the PDPA⁸ [Guidelines] clarifies that this applies to all private organisations⁹ as defined in section 2, regardless of their size.

This article aims to explore the relevance of an organisation’s size to the PDPA’s reasonableness test, and submits that the former should be considered as a factor in applying the latter. This may be done, for instance, by providing for it in the Guidelines.

II. MINIMAL SCOPE FOR SIZE IN THE PDPA’S REASONABLENESS TEST

Currently, the size of the organisation appears to be contemplated only by the Protection Obligation – when determining whether reasonable security arrangements have been made to prevent unauthorised handling of personal data under section 24 of the PDPA. This is seen from the Guidelines, which provide only general guidance for compliance¹⁰ and mention the size of the organisation only once: as a factor in risk assessment exercises determining whether information security arrangements are adequate.¹¹ Otherwise, the PDPA legislation and jurisprudence do not feature the size of the organisation in applying the reasonableness test for any other obligation. There does not appear to be any debate on this issue; one can only guess that the drafters of the PDPA believed that fulfilling these other obligations was more important than the strain of compliance on organisations and/or that the obligations were generally undemanding for organisations that already had strong data protection practices. In any case, the PDPA prevents organisations from invoking their small size to unjustifiably exempt themselves from obligations to protect personal data.

Instead, the reasonableness of measures appears to turn on the impact on the individual whose personal data is mishandled and the compliance measures themselves. For example, the Accuracy Obligation under section 23 considers, inter alia, the nature of the personal data,¹² as well as the impact on the relevant individual should the data be inaccurate.¹³ Another example is the Notification Obligation under section 20, which considers the ‘circumstances and manner in which [the organisation] will be collecting the personal data’,¹⁴ the ‘frequency at which the personal data will be collected’¹⁵ and ‘the channel through which the notification is provided’.¹⁶ The size of the organisation does not appear to feature in the reasonableness test for any of the obligations under the PDPA, except for in the Protection Obligation.

III. ORGANIZATIONAL SIZE SHOULD BE A FACTOR

As a result of the above, the reasonableness test arguably fails to take into account the resource-scarce reality of many small organisations when determining whether they have discharged their obligations to a ‘reasonable’ standard under the PDPA. One example is where an organisation transfers personal data to its parent company overseas, and has to fulfil its Transfer Limitation Obligation under section 26 of the PDPA. The Guidelines suggest that the organisation reviews the corporate rules binding both organisations and assesses that they comply with these regulations, as well as that the data protection is ‘comparable to the standard under the PDPA’.¹⁷ This envisages studying rules, designing and executing appropriate transfers, as well as deciding whether corporate practices sufficiently comply with legislation – all difficult processes that require a certain amount of manpower or at least expertise that small organisations will not be as privy to as large ones. Except for in the Protection Obligation, the PDPA’s current reasonableness test essentially demands the same standard of compliance from the sole proprietor as that from the large, multinational company. This raises issues of resource inequality and disadvantage to small organisations, for which sustainability is already a challenge without the PDPA.

Considering the organisation’s size when applying the reasonableness test would better accord with the plain meaning of ‘reasonableness’. It appears unreasonable, in the barest and most layman sense of the word, to expect small organisations to comply with the PDPA as rigorously as large organisations. Then-President of the Singapore Chinese Chamber of Commerce and Industry, Mr Teo Siong Seng, emphasised during the Second Reading of the Personal Data Protection Bill that small organisations would struggle more with manpower, time-related and even consultancy costs of compliance with the PDPA.¹⁸ SMEs have since reportedly had to grapple with ‘overburdened staff’¹⁹ and five-figure costs on ‘new procedures, staff training and the upgrading of technology]’.²⁰ In particular, the obligation to ‘develop and implement policies and practices that are necessary’ to comply with the PDPA, as per section 12(a) of the Act, is manifestly more difficult for small organisations than it is for large ones. Taking into account an organisation’s size would achieve better approximations of what a ‘reasonable person would consider appropriate in the circumstances’. This would in turn produce more practical benefits: guiding the PDPC to achieve fairer adjudicative outcomes – ensuring that small organisations are not penalised for failing to take compliance measures beyond their means.

Further, having regard for the size of the organisation would better achieve the PDPA’s purpose of mitigating compliance costs.²¹ Organisations should save costs when implementing essential PDPA-compliant processes, as doing so guards against actionable, personal data breaches ‘under other statutes, at common law and equity’.²² This helps organisations save costs on litigation and compensation, which would be greater than the costs incurred for compliance with the PDPA. However, as the PDPA’s reasonableness test now apparently does not accommodate the inherent differences between small and large organisations, small organisations may find themselves tending toward the safest practices or ‘best solution[s]’ adopted by large organisations, which may be too costly for them.²³ Recognising that the size of the organisation should affect what is considered ‘reasonable’ compliance would give a green light to small organisations and their consultants (if they can afford any) to exercise latitude in adopting more cost-efficient practices that would still comply with the PDPA.²⁴

Considering the organisation’s size would also better achieve the PDPA’s purpose of enhancing Singapore’s business competitiveness.²⁵ Holding small organisations to the same standard of ‘reasonableness’ as large organisations in complying with the PDPA has deleterious effects on the former’s operations.²⁶ This is because compliance with the PDPA requires a large amount of time, cost and effort that could otherwise be invested productively into the organisation’s operations.²⁷ Such resource-demanding measures include studying the PDPA, appointing a Personal Data Officer,²⁸ developing policies and practices for compliance²⁹ that must be then communicated to staff,³⁰ as well as training staff to receive and respond to PDPA-related inquiries and complaints.³¹ This has arguably even worse consequences for small social service organisations, which already struggle to make the most of their resources to perform their charitable works. Imposing the reasonableness test for compliance – without considering their sizes – risks impeding the good work of these organisations and generally inhibiting the progress of Singapore’s social service sector – a result that is normatively undesirable. A reasonableness test that accounts for the organisation’s size would encourage small organisations to consider practices that are less operationally disruptive than those that large organisations adopt but would still comply with the PDPA. Such would not only facilitate the Act’s aim of business productivity and competitiveness, but also the socially desirable aims of various social service organisations.

IV. THE DANGERS OF CONSIDERING ORGANIZATIONAL SIZE

The dangers of considering an organisation’s size in applying the reasonableness test may be observed from the effects of Australia’s Privacy Act 1988³² [APA], which makes exemptions for small businesses.³³ This ‘small business exemption’ has been heavily criticised, and the Australian Law Reform Commission even recommended its repeal in 2008.³⁴ In particular, it has been argued that organisational size is unrelated to the risk of personal data breach; such depends instead on the nature of the data, its handling and the organisation’s operations.³⁵ There have been concerns that the APA may be abused by small organisations, which are given a statutory backdoor to misuse personal data in the name of cost-effectiveness.³⁶

Including the organisation’s size as only a factor in the PDPA’s reasonableness test would be an appropriately moderate approach that mitigates the risk of completely exempting small, rogue organisations. In fact, as suggested, the organisation’s size could be mentioned as a factor only in the Guidelines. Since the Guidelines are ‘advisory’ and ‘do not constitute legal advice’,³⁷ this would mitigate the risk of giving small organisations carte blanche to breach the PDPA – holding small organisations to baseline standards of compliance. The non-conclusive status of a ‘factor’, as well as the non-binding nature of the Guidelines, also collectively preserve the PDPC’s ability to find PDPA breaches regardless of the organisation’s size. The only difference would be that the PDPC should be persuaded to weigh the small size of the organisation as one of many factors in deciding whether there is a breach of the Act.

V. MOVING FORWARD: CHALLENGES IN DEFINING ‘SIZE’

In sum, an organisation’s size should be considered as a factor in the PDPA’s reasonableness test as such better accords with the plain meaning of ‘reasonableness’, as well as better achieves the Act’s purposes of enhancing Singapore’s business competitiveness while managing compliance costs.

Having explored the legal and normative justifications of incorporating the organisation’s size as a factor in the PDPA’s reasonableness test, this article notes that defining ‘size’ has proven and can be expected to be tricky. The Australian Privacy Act’s definition of a ‘small business’ may be used as a case study. It sets out what would and would not qualify for the exemption, and has two significant features: first, it pegs ‘size’ primarily to the organisation’s annual turnover.³⁸ Second, it adopts a binary view of what would be ‘small’ and not. Suggestions have been made to raise the Privacy Act’s turnover threshold, to account for inflation.³⁹ There have also been suggestions to base the definition instead on specific levels of risk ⁴⁰ or simply the number of employees in the organisation.⁴¹ Each of these has attracted its criticisms.

Thus, careful thought should be given as to what definition of ‘size’ would be a suitable factor in the PDPA’s ‘reasonableness’ test, considering the Act’s aim of promoting business competitiveness and data protection while moderating compliance costs. These, as well as other matters related to how the size of the organisation may or should affect its compliance obligations, should also be further considered.

INTRODUCTION

In 1998, persons suffering from Acquired Immune Deficiency Syndrome (AIDS) or infected with Human Immunodeficiency Virus (HIV) were explicitly listed as “prohibited immigrant[s]” under s 8(3)(ba) of Singapore’s Immigration Act¹ to protect Singapore’s public health in the wake of a global HIV epidemic.² This manifested in a ban on HIV-positive foreigners from entering the country. While the ban on foreigners on short-term visit passes was quietly lifted in 2015, persons with HIV or AIDS are still prohibited from long-term visits to Singapore – the official reason being that “the public health risk posed by long-stayers is not insignificant”.³ This article aims to study the reasons for s 8(3)(ba) and the existing HIV-related immigration restrictions, and submits that they should be repealed and removed respectively.

THE CASE FOR REMOVAL OF HIV-RELATED IMMIGRATION RESTRICTIONS

A. The restrictions are an outdated model intended for an unpredictable epidemic

It is submitted that the restrictions on HIV-positive immigrants no longer serve their original purpose as a response to an unpredictable epidemic on a global scale. The context in which HIV-positive foreigners were listed as “prohibited immigrants” in 1998 concerned a dramatic increase in the number of HIV infected residents: Singapore had almost 200 reported cases, and more alarmingly, 42 new cases of HIV and AIDS were reported in 1991, vis-à-vis the 61 cases between 1985 and 1990. Against this backdrop of domestic increase in HIV infections was our large number of HIV-positive foreigners: 2,813 foreigners had been tested to be HIV-positive while in Singapore, 80% of whom were work permit holders and applicants.⁴ The “policy on the repatriation and permanent blacklisting of HIV-positive foreigners”⁵ was Singapore’s consequent response to that global crisis, as we were perceived to be “particularly vulnerable… [given] people coming into Singapore in far greater numbers, and Singaporeans [travelling] abroad even more frequently”.⁶

It is submitted that this policy is outmoded. Today, the rate of new HIV cases has generally been constant at about 450 new reported cases each year since 2008.⁷ The rate of HIV infection is generally maintained unlike in the past; treatment and control measures have made the disease much more predictable, and the heavy response we opted for decades ago is arguably inappropriate given the relatively moderate scale at which HIV spreads today.

Furthermore, immigration restrictions have become a disproportionate response to the severity of HIV, which today has reduced dramatically. The policy against HIV-positive foreigners was recommended when HIV was “new, fatal and no effective treatment was available”;⁸ HIV was considered a “death sentence”.⁹ This is no longer the case today as “more than 5,000 Singapore residents [live] with HIV” and there is “effective treatment for the disease”. In fact, HIV-positive persons on antiretroviral therapy may be “successfully virally suppressed” and “not infectious to other people”. In this vein, it is submitted that any prohibition on HIV-positive immigrants despite their non-infectiousness is disproportionate to the alleged “public health risk” they pose.

B. The restrictions are ineffective in reducing the spread of HIV

Increasingly, it is clear that Singapore’s policy against HIV-positive immigrants does not reduce the type of public health risk it purports to.¹¹ Since 97% of HIV contraction in Singapore is through sexual intercourse,¹² the main persons at risk are sexual partners of infected persons, who only transmit HIV via certain kinds of sexual behaviour; no health risk is posed to the general public through casual contact. Persons infected with HIV are thus significantly different from persons infected by other contagious diseases that make their very “presence in Singapore dangerous to the community”,¹³ and should not warrant the same immigration restrictions they do. Most importantly, punitive measures such as immigration restrictions have been proven to be relatively ineffective in preventing transmission, and in fact “may limit the uptake of HIV voluntary testing and hinder adherence to HIV treatment”.¹⁴ In this vein, it is submitted that an HIV-positive person should not be banned from long-term stay in Singapore while a person suffering from a different type of sexually transmitted disease is not, since these are all ‘controlled’ diseases that are not effectively reducible by immigration restrictions.

Furthermore, concerns that foreigners (aware or unaware of their HIV status) may (intentionally or unintentionally) spread the disease would generally be well controlled under Singapore’s strict domestic laws against HIV infection.¹⁵ In particular, an immigrant who knows he has HIV,¹⁶ or for whatever reason does not know he has HIV but has reason to believe that he has or has been exposed to a significant risk of infection, must disclose this risk to his sexual partner before engaging in sexual activity, or be liable to criminal charges as per s 23(2) of the Infectious Diseases Act.¹⁷

In any case, the risk of HIV spreading is greatly ameliorated by the availability of anonymous HIV testing, increasing public education about HIV in schools and workplaces,¹⁸ guidelines to manage HIV at the workplace, and advancements in public health practices¹⁹ – all of which would be readily available to both the HIV-negative populace and HIV-positive immigrants to mutually prevent infection.

In this vein, it is further submitted that the distinction between the public health risk posed by short-term visitors and long-term visitors is arbitrary; the duration of one’s stay is much less a variable of a person’s infectiousness, compared to more important factors such as one’s knowledge, disclosure and treatment of the disease – all of which are generally well regulated in Singapore.

While it is acknowledged that HIV infection rates are still higher than before Singapore implemented its current HIV-related immigration restrictions in 1998, it is submitted that lifting our immigration restrictions would have negligible effect on the current domestic spread of HIV. Firstly, overall HIV infection rates among adults are stabilising worldwide;²⁰ Singapore’s HIV infection rates are not out of the ordinary, and removing HIV-related immigration restrictions would not reasonably lead to an exceptionally large number of HIV-positive foreigners entering Singapore. Secondly, the spread of HIV carried by immigrants may be circumscribed, for instance, by continuing to require mandatory testing for long-term visitors²¹ and/or subjecting them to the same laws relating to HIV infection as those applying to all Singaporeans.

C. Repealing s 8(3)(ba) would reduce stigma and better satisfy public conscience

It is submitted that removing HIV-related immigration restrictions would better achieve Parliament’s underlying objective to promote inclusiveness and reduce stigma today. When Parliament crafted HIV-related laws, they were concerned with treating patients “humanely and with great compassion” as they and their loved ones undergo “great suffering and social stigma”.²² However, this had to be balanced with “protecting innocent people” from contracting HIV,²³ which led to prohibitions on HIV-foreigners from entering the country while HIV-positive Singaporeans remained to seek treatment at home. Noticeably, this by implication seems to unfairly characterise HIV-positive immigrants as a group distinct from “innocent people” in society, even though HIV-positive persons are in many cases victims of circumstance. Given our many health and social support systems, as well as the treatability of HIV that may even render an infected patient ‘risk-free’, the protection of both HIV-positive and negative persons today is not a zero-sum game. It is thus submitted that Parliament’s previous concern about balancing the interests of HIV-positive and negative persons today should be adjusted such that HIV-related immigration restrictions are removed.

Further, Parliament should repeal s 8(3)(ba) as a matter of public conscience. Since the late 20th Century, HIV-positive persons have ranged from married wives infected by their husbands, to children infected perinatally, to blood donees via transfusion, to health care workers via clinical procedures.²⁴ 97% of HIV contraction in Singapore is through sexual intercourse, and this is not limited to individuals engaging in high-risk sexual behaviour – often victims have sexual partners’ whose HIV status was either undisclosed or unknown. It therefore seems unjust that the HIV-positive foreigner is labelled a “prohibited immigrant” alongside charges on the public,²⁶ outlaws,²⁷ prostitutes,²⁸ procurers,²⁹ vagrants,³⁰ and persons seeking to overthrow the government by violence³¹ as our laws should seek treat them with compassion accordingly.

To this end, it is submitted that HIV-positive persons should be allowed to enter Singapore as ‘lawful’ immigrants and stay long-term should they choose to, without being ‘exceptionalised’ and ‘othered’ as a group whose mere presence is a danger to public health – a widespread perception that is taught as untrue, and would be better proven with the removal of s 8(3)(ba). Such a legal reform would enhance the inclusiveness of our whole community, which includes both HIV-positive and negative persons.

CONCLUSION

Removing HIV-related immigration restrictions would not be an unprecedented policy, and Singapore has the benefit of gleaning from the experience of many other countries that have done this. From 2000 to mid-2013, there was a more than 50% reduction in the number of territories with HIV-related travel restrictions – from 96 to 43.³² In particular, the United States had a similar experience to Singapore’s: first applying a blanket ban on HIV-positive foreigners given its large influx of immigrants and the explosion of the AIDS epidemic in the 1980s, before removing the restrictions on short-term travellers in 2006, and eventually removing the ban entirely in 2010 – a process catalysed by vocal opposition from the international community.³³ Changing a law typically takes time and effort, and the process requires the community to voice its concerns and what it thinks is right. This article hopes to aid in this respect, as part of former and ongoing efforts by other members of the community to do the same.