Scheduled maintenance of the CDR platform is scheduled on Monday 29 April between 12pm to 1pm. Form submissions cannot be submitted during this time.

Last updated: 07 Dec 2023

Memorandum of Understanding

Between

The Office of the Australian Information Commissioner

And

The Personal Data Protection Commission of the Republic of Singapore

On Cooperation in Personal Data Protection

The Office of the Australian Information Commissioner (“OAIC”) and the Personal Data Protection Commission of the Republic of Singapore (“PDPC”), hereinafter referred to individually as the “Participant” and collectively as the “Participants”,

  • Recognising the importance of data governance and cross border data flows to global trade in a digital economy, along with the importance of safeguarding the data protection rights of the citizens of Australia and the Republic of Singapore when they engage in the digital economy;
  • Recognising that in today’s globally connected digital economy, each Participant needs to be able to collaborate and co-operate on data protection matters and developments to ensure the effective protection of data protection rights of the citizens of Australia and the Republic of Singapore;
  • Reaffirming their intent to deepen their existing relations and to promote the safe exchanges in personal data protection to engender trust and facilitate trusted cross border data flows; and
  • Recognising the need to foster closer collaboration and cooperation in personal data protection,

Have reached the following understanding:

Paragraph 1: Purpose

1 This Memorandum of Understanding (“MOU”) has been developed in connection with the Australia-Singapore Digital Economy Agreement, in the context of objectives of the Joint Declaration by the Prime Ministers of Australia and Singapore on a Comprehensive Strategic Partnership’s objective to deepen bilateral relations and cooperation, and enhance the integration of the economies of Australia and the Republic of Singapore.

2 This MOU expresses the understandings and intentions of the Participants in relation to cooperation in personal data protection.

Paragraph 2: Scope of collaboration

1 The Participants will collaborate in personal data protection in accordance with this MOU. For this purpose, the Participants may jointly identify one or more areas or initiatives for cooperation. Such cooperation will be carried out in accordance with each Participant’s respective laws, regulations and competence, and may include:

  1. The sharing of experiences and exchange of best practices on data protection, which may include short-term attachments and exchange of officers;
  2. The sharing of and active participation in initiatives to develop the competencies of data protection officers[1];
  3. The exchange of information (excluding personal data) involving potential or on-going investigations of organisations in their respective jurisdictions in relation to a suspected contravention of either Participant’s data protection legislation;
  4. Provision of mutual assistance to facilitate investigations in the respective jurisdictions in relation to potential contraventions of either Participant’s data protection legislation;
  5. Co-ordination and provision of mutual assistance in parallel or joint investigations into cross border personal data incidents in relation to potential contraventions of data protection legislation in both jurisdictions (excluding the sharing of personal data);
  6. Active participation in and joint promotion of, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System (hereinafter “the CBPR System”) with the aim of improving awareness, participation, and encouraging greater industry adoption of the CBPR System;
  7. The exchange of information and sharing of experiences on the development and implementation of national trustmark or certification frameworks; and,
  8. Any other areas of cooperation as may be mutually decided upon by the Participants.

Paragraph 3: Specific arrangements

Each Participant may, within the limits of its respective laws, regulations and competence, enter into separate written arrangements with the other Participant, for the execution of projects or activities within the scope of this MOU.

Paragraph 4: Role and function of OAIC

1 The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General’s portfolio, and is established by the Australian Information Commissioner Act 2010 (“the AIC Act”).

2 The Australian Information Commissioner (“the Australian Commissioner”) is appointed by the Governor-General pursuant to section 14 of the AIC Act.

3 The Australian Commissioner leads the OAIC as Australia’s key independent regulator responsible for promoting and upholding privacy and information access rights.

4 The Australian Commissioner has a range of statutory functions, duties, obligations and powers and is empowered to take a range of regulatory action. These functions, duties, obligations and powers are set out in the following legislation (as amended from time to time). This is not an exhaustive list:

  1. Australian Information Commissioner Act 2010
  2. Privacy Act 1988 (“the Privacy Act”)
  3. Freedom of Information Act 1982 (“the FOI Act”)
  4. Competition and Consumer Act 2010 (in relation to the Consumer Data Right)
  5. Crimes Act 1914 (in relation to spent convictions)
  6. National Health Act 1953 (in relation to Medical Benefits Schedule/Pharmaceutical Benefits Schedule data matching)
  7. Data-matching Program (Assistance and Tax) Act 1990
  8. Healthcare Identifiers Act 2010
  9. My Health Records Act 2012
  10. Telecommunications Act 1997

The Australian Commissioner’s regulatory and enforcement powers include:

  1. conducting assessments of compliance with the Privacy Act;
  2. making preliminary inquiries and investigating privacy and Freedom Of Information (“FOI”) complaints;
  3. conducting Commissioner initiated investigations into acts or practices that may breach the Privacy Act or the FOI Act;
  4. conducting reviews of FOI decisions;
  5. issuing written notices requiring production of information and documents in relation to an investigation;
  6. conducting hearings, examining witnesses and directing persons to attend compulsory conferences;
  7. making determinations in relation to privacy investigations, which can include a compensation award payable by the respondent;
  8. issuing proceedings in the Federal Court or the Federal Circuit and Family Court of Australia to enforce determinations; and
  9. applying to the Federal Court or the Federal Circuit and Family Court of Australia for a civil penalty order against an agency or organisation

Paragraph 5: Role and function of the Info-Communications Media Development Authority and PDPC

1 The Info-communications Media Development Authority is established under section 3 of the Info-communications Media Development Authority Act 2016 of the Republic of Singapore, and is designated as the PDPC under section 5(1) of the Personal Data Protection Act 2012 of the Republic of Singapore (“PDPA”). The PDPA governs the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

2 The functions of the PDPC set out in section 6 of the PDPA include the following, amongst others:

  1. to administer and enforce the PDPA;
  2. to represent the Singapore Government internationally on matters relating to data protection; and,
  3. to manage technical co-operation and exchange in the area of data protection with foreign data protection authorities and international or inter-governmental organisations.

3 The PDPC’s regulatory and enforcement powers include the following, amongst others:

  1. conducting investigations and reviews in relation to organisations’ compliance with the PDPA;
  2. requiring individuals and organisations, by notice in writing, to produce to the PDPC information and/or documents which the PDPC considers relates to any matter relevant to any investigation;
  3. issuing advisory notices, warnings and directions to organisations to ensure their compliance with the PDPA;
  4. administering financial penalties and composition sums for contravention of the PDPA;
  5. registering its directions with the Courts and enforcing them as an Order of Court; and;
  6. prosecuting criminal offences before the Courts.

Paragraph 6: No sharing of personal information

1 This MOU is not intended to cover any sharing of personal data by the Participants.

2 If the Participants wish to share personal data, for example in relation to any cross border personal data incidents involving organisations in both jurisdictions, each Participant will have to consider compliance with its own applicable data protection laws, regulations, requirements, and guidelines, which may require the Participants to enter into a written agreement or arrangement regarding the sharing of such personal data.

Paragraph 7: Information shared by the OAIC

1 The Australian Commissioner will only share information as part of this MOU in accordance with the requirements of the Privacy Act and any other applicable laws and regulations in its jurisdiction.

2 For example, section 33A of the Privacy Act allows the Australian Commissioner to share certain information with an authority of the government of a foreign country that has functions to protect the privacy of individuals, such as the PDPC, for the purpose of:

  1. a)the Australian Commissioner exercising powers, or performing functions or duties, under the Privacy Act; or
  2. the PDPC exercising its powers, or performing its functions or duties.

3 Pursuant to section 33A(3), among other requirements, the Australian Commissioner may only share information or documents with the PDPC if:

  1. the information or documents were acquired by the Australian Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act; and
  2. the Australian Commissioner is satisfied on reasonable grounds that the PDPC has satisfactory arrangements in place for protecting the information or documents.

4 Furthermore, section 29 of the AIC Act makes unauthorised dealing with information an offence where information is acquired in the course of performing functions or exercising powers for the purposes of an information commissioner function, a freedom of information function or a privacy function.

5 Provided the Australian Commissioner acts pursuant to the powers and functions set out in the AIC Act and has due regard to the objects of the AIC Act (and any other relevant law) the Australian Commissioner can share information as intended by this MOU.

6 For the purposes of sharing confidential information with PDPC, the OAIC will not furnish any information unless it requires, and obtains from, the PDPC an undertaking in writing that the PDPC will comply with the terms specified by the OAIC, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the OAIC.

Paragraph 8: Information shared by the PDPC

Pursuant to section 59 of the PDPA the PDPC is required to preserve the secrecy of confidential information that may come into its knowledge in the performance of its functions and duties under the PDPA and the PDPC will not communicate any confidential information to the OAIC except in so far as such communication:

  1. is necessary for the performance of any such function or discharge of any such duty;
  2. is lawfully required by any Court;
  3. is necessary to comply with any provision of a co-operation agreement entered into under section 10 of the PDPA where the following conditions are satisfied:
    1. the information or documents requested by the OAIC are in the possession of the PDPC;
    2. unless the Singapore Government otherwise allows, the OAIC undertakes to keep the information confidential at all times; and
    3. disclosure of the information is not likely to be contrary to public interest; or
  4. is lawfully required or permitted under Singapore’s domestic legislation.

2 For the purposes of sharing confidential information with OAIC, the PDPC will not furnish any information unless it requires, and obtains from, the OAIC an undertaking in writing that the OAIC will comply with the terms specified by the PDPC, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the PDPC.

Paragraph 9: Costs and expenses

Without prejudice to any separate written arrangement under Paragraph 3 or unless otherwise mutually decided upon in writing by the Participants, each Participant will bear its own costs and expenses in implementing this MOU.

Paragraph 10: Security and data breach reporting

1 The Participants will jointly determine the appropriate security measures to protect information transfers in accordance with the sensitivity of the information and any classification that is applied by the sender of that information.

2 Where confidential material is shared between the Participants it will be marked with the appropriate security classification.

3 The information transfers undertaken as part of this MOU are subject to all applicable confidentiality, secrecy and privacy requirements under the laws, regulations, requirements, and guidelines, applicable to the Participants in their respective jurisdictions.

4 the Participants may only use the information shared for the purposes for which it was shared.

5 Where one Participant has received information from the other Participant, it will, subject to any applicable laws, regulations, requirements, and guidelines, in its jurisdiction, seek and obtain consent from the other Participant before passing the information to a third party or using the information in any law enforcement proceedings or any court case.

6 Where confidential material obtained from, or shared by, the originating Participant is wrongfully disclosed or used by the receiving Participant, the receiving Participant will bring this to the attention of the originating Participant without delay.

Paragraph 11: Review of the MOU and Amendments

1 The Participants will monitor the implementation of this MOU and review it biennially, or sooner if either Participant so requests.

2 Either Participant may make a request in writing for a revision or amendment of any provision of this MOU. Any revision or amendment which has been mutually decided upon in writing by the Participants will come into effect on such date as may be mutually decided upon by the Participants.

Paragraph 12: Commencement, duration and termination

1 This MOU will come into effect on the date of signature and will remain in effect unless either Participant chooses to terminate this MOU by giving six (6) months’ written notice to the other Participant.

2 The termination of this MOU will not affect the validity, duration, implementation and completion of any project or activity undertaken or decided upon under this MOU prior to the date of termination unless the Participants otherwise mutually decide in writing.

Paragraph 13: Non-binding effect of this MOU and dispute settlement

1 Nothing in this MOU is to be construed as establishing or implying a partnership, joint venture, agency or other legal relationship between the Participants. This MOU is a statement of intent that does not constitute or create, and is not intended to constitute or create obligations under domestic or international law and will not be deemed to constitute or create any legally enforceable rights or binding obligations, whether express or implied, on either Participant.

2 The Participants will settle any dispute or disagreement relating to or arising out of the interpretation or implementation of this MOU amicably through mutual consultations or negotiations in good faith without reference to any third party, court, tribunal, organisation, or any other forum.

3 Nothing in this MOU affects the exercise of the legislative functions, powers, duties or obligations of either Participant.

Paragraph 14: Designated contact points

1 The following positions will be the designated contact points for the Participants for matters under this MOU:

Office of the Australian Information Commissioner
Position: Deputy Commissioner
Current Officer: Elizabeth Hampton

The Personal Data Protection Commission, Singapore
Position: Deputy Commissioner
Current Officer: Denise Wong

2 The designated contact points will maintain an open dialogue between each other in order to ensure that this MOU remains effective and fit for purpose.  They will also seek to identify any difficulties in the working relationship, and proactively seek to minimise the same.

3 Each Participant may change its designated contact point for the purposes of this MOU upon notice in writing to the other Participant.

Signed in duplicate in the English language.

For the Office of the Australian Information Commissioner:

[Signed]

Angelene Falk

Date: 1/12/2023
Place: Australia

For the Personal Data Protection Commission of the Republic of Singapore:

[Signed]

by Lew Chuen Hong

Date: 1/12/2023
Place: Australia

Footnote

[1] Data Protection Officers are privacy specialists within organisations in both jurisdictions.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia