How Well Do You Understand the Personal Data Protection Act and its Practical Implications?

Transcription

1 29 Feature This article shall examine the key points in the Personal Data Protection Act ( PDPA ) and the practical measures required when the PDPA comes into full force on 1 July The law governing the Do Not Call Registry came into effect on 2 January How Well Do You Understand the Personal Data Protection Act and its Practical Implications? types of organisations governed by the PDPA. They include: (i) an individual carrying on a business (not in a personal or domestic capacity eg self-employed consultant); (ii) a body corporate; and (iii) a body unincorporate (eg a society or association). 2 So long as an organisation handles customers and employees personal data, it is caught under the PDPA. This covers virtually all businesses in Singapore. Who is Protected Under the PDPA? All personal data belonging to an individual (living or deceased) is protected under the PDPA. It is interesting to note that only individuals who are deceased for 10 years or more are exempt from the PDPA. 3 Hence, the PDPA protects three groups of individuals: (i) customers; (ii) employees; and (iii) others (eg company directors). Who is Not Protected Under the PDPA? Data belonging to non-individuals (eg companies) is not protected under the PDPA (eg B2B businesses). Personal data belonging to an individual deceased more than 10 years ago is also not protected under the PDPA. What Information is Protected Under the PDPA? Scope of PDPA What is the PDPA About? The purpose of the PDPA (Personal Data Protection Act) is to balance the commercial need of organisations to use individuals personal data and the right of individuals to protect their personal data. 1 Who are Governed by the PDPA? Organisations that collect, use or disclose an individual s personal data are regulated by the PDPA. There are three All personal data 4 belonging to an individual is protected under the PDPA. Hence the following data which identifies an individual will be considered personal data : full name, NRIC Number, passport number, photographs and CCTV images, personal mobile telephone number, personal address, name and residential address. Certain information on its own such as: To the occupant of #15-01, Block 1000A, Marine Parade Road will not be considered personal data. Interestingly, personal data in a business name card belonging to an individual is not governed (hence not protected) by the PDPA if it is not used for personal purposes. 5 Hence, if Mr Tan leaves his business name card at a seminar for the purpose of being included in the organiser s mailing list to attend future similar seminars, his personal data will not be protected under the PDPA.

2 Feature 30 What About Personal Data Collected Before 2 July 2014? All personal data collected by an organisation before the Appointed Date (2 July 2014) will still be valid unless the individual has withdrawn his consent or objects to the use of his personal data. 6 The Nine Organisation Obligations The nine organisation obligations ( nine obligations ) that will be discussed herewith constitute some of the core provisions of the PDPA. 7 These are important legal obligations every organisation must comply with. Organisations must start to comply with these obligations from 2 July The Consent Obligation Briefl y stated, an organisation must obtain an individual s consent before it collects, uses or discloses his personal data. 8 There are two types of consent: express consent and deemed consent. An express consent includes consent in writing. There are two types of deemed consent. First, an individual is deemed to have given his consent if he voluntarily provides his personal data to an organisation and it is reasonable for the individual to do so. 9 For instance, an individual sending his CV to an organisation in response to an advertisement for a job vacancy. Second, an individual is deemed to have given his consent to the disclosure of his personal data by one organisation to another organisation for a particular purpose. 10 For instance, if A buys an insurance life policy from Organisation A, he is deemed to have consented to Organisation A disclosing his personal data to Organisation B for re-insurance of A s insurance policy. What would constitute a valid consent? There are two conditions for valid consent. First, the organisation must notify the individual of the purpose of the consent. 11 For instance, an organisation is having a lucky draw, the participants must be informed that the personal data is for the purposes of that lucky draw. Second, the personal data required must be reasonable. 12 For instance, it is wrong for a TV vendor to ask the buyer for his entire family s personal data. Third, the organisation must not use false, misleading or deceptive means to obtain an individual s personal data. 13 For instance, advertising for jobs that are non-existent to obtain personal data from applicants. Collection, use and disclosure without consent a. PDPA Exemptions (Second, Third & Fourth Schedules) An organisation can collect, use and disclose an individual s personal data without his consent if it falls within the circumstances stipulated in the Second, Third and Fourth Schedules. 14 These are very useful exemptions available to an organisation in handling customers or employees personal data without obtaining their consent. For instance, the HR department of an organisation need not obtain an employee s consent for evaluative purposes. 15 The term evaluative purpose 16 includes: (a) for the purpose of determining the suitability, eligibility or qualifi cations of the individual to whom the data relates (i) for employment or for appointment to offi ce; (ii) for promotion in employment or offi ce or for continuance in employment or offi ce; (iii) for removal from employment or offi ce. Hence an organisation does not need to obtain: (i) a job applicant s consent to collect, use or disclose his personal data to assess his suitability for the job; or (ii) an employee s consent for his promotion purpose or to terminate his employment. HR departments may also like to note that an organisation can also collect an employee s personal data without his consent for the employee s employment, business or profession. 17 b. Required or authorised under PDPA or other written law An organisation can collect, use or disclose an individual s personal data without his consent if it is required or authorised under other written law. For instance, a bank need not obtain a customer s consent if it discloses his personal data to a third party pursuant to the Third Schedule, Banking Act. 2. The Purpose Limitation Obligation An organisation may only collect, use or disclose an individual s personal data if it informs the individual of the specifi c purpose (which must be appropriate or reasonable). 18 An organisation is prohibited from using the personal data collected for a different purpose. For instance, a modelling agency cannot advertise for models and use their photos for pornographic websites. However, it is acceptable for the modelling agency to use the models personal data to send them greeting cards or to inform them of new modelling opportunities. 3. The Notification Obligation In order to obtain an individual s consent, an organisation must inform or notify the individual the purpose for use or disclosure of his personal data. 19 Hence, the purpose obligation and the notifi cation obligation are closely connected. These are two obligations that an organisation will fi nd rather onerous as it handles customers and employees personal data on a daily basis. What must an organisation notify an individal of? An organisation must notify the individual of the purpose of the collection, use or disclosure of his personal data and also of other purposes. 20 For instance, an insurance company needs to inform its clients that their personal data may be disclosed to a re-insurance company for re-insurance purposes.

3 31 Feature When should an organisation do this? An organisation must notify the individual the specified purpose on or before it collects his personal data. 21 Practical implication of Consent, Purpose and Notification Obligations First, an organisation must set up a formal procedure to comply with these three obligations. It should specify the circumstances where it can collect, use and disclose the personal data without consent by checking against the Second, Third and Fourth Schedules. Second, it should design a standard form to incorporate the three obligations. This standard form may be labelled Consent Form. This form should include: the purpose of collecting the personal data, third parties the personal data may be disclosed to, withdrawal of consent, signature etc. In drafting such a form, care must be taken to avoid the use of language that is too vague or general which may invalidate the use of such a form. 4. The Access and Correction Obligation This is another important obligation an organisation must comply with and manage on a daily basis. a. The Access Obligations Every individual has the right of access to his personal data. 22 Hence, an organisation must grant an individual access to his personal data which it has in its own possession or under its control (eg outsourced to a Data Intermediary). 23 This request is called the Access Request. An organisation must disclose all personal data belonging to an individual and how it has been used for the past one year. 24 minimum fee to recover the costs and time spent in acceding to the Access Request. 26 Offences relating to access obligation Individuals should take note that it is a criminal offence for a person to make an Access Request on another individual s personal data without his authority. 27 The penalty for such unauthorised access is a maximum fi ne of $5,000 or an imprisonment term not exceeding 12 months or both. 28 Organisations should also take note that it is a criminal offence to alter, falsify, conceal or destroy any record containing an individual s personal data to avoid complying with an access request. 29 When would an individual s request for access be denied? First, an organisation may refuse or deny any individual from accessing his personal data if the circumstances fall within the Fifth Schedule of the PDPA. 30 For instance, an employee has no right to access any HR record concerning himself (eg for promotion purposes), because this would relate to an opinion data solely for evaluative purpose. 31 Pursuant to item 1(j), Fifth Schedule, an organisation can reject an individual s Access Request for the following reasons: 1. Unreasonable interference with the organisation s operation because of its repetitive nature (eg customer asking for the same or almost the same personal data every week); 2. Burdensome to the organisation or disaproportionate to the individual s interest (eg customer wanting to view the CCTV footage over the past one year instead of a specifi c date(s)); How to exercise an Access Request? An organisation should design a standard Access Request form to facilitate and manage the ongoing Access Requests by customers and employees. This standard form should contain the full identity of the individual requesting for access. How soon should an organisation respond to an Access Request? An organisation should respond to an Access Request within 30 days. 25 If it is not reasonable or possible to provide the personal data within 30 days, the organisation shall disclose the personal data to the individual at the reasonably soonest time. What fees can an organisation charge for an Access Request? The PDPA does not provide a fi xed fee or a maximum fee (unlike the UK) for an Access Request. It can charge a

4 Feature Trivial information (eg check on his address postcode); or 4. Frivolous or vexatious (eg disgruntled ex-employee repeatedly asking for the same personal data to annoy an organisation). Second, an organisation can also deny an access request to a person s personal data if it would reveal the personal data of another individual. For instance, a CCTV footage that captures both the individual image together with another third party. b. The Correction Obligation Every individual has the right to correct any error in his personal data. Hence, an organsation must allow an individual to correct any error or omission in his personal data that is in the possession or under the control of the organisation. 32 This request is called the Correction Request. If the organisation has disclosed the personal data to an organisation within a year before the correction request, it must also send the corrected personal data to the other organisation. 33 If an insurance company (A) has corrected the personal data of its insured (Mr X), it must also inform company B (its re-insurance company) of Mr X s corrected personal data. How to exercise a Correction Request? The PDPA does not provide for a standard Correction Request. Each organisation should design its own standard Correction Request Form. In this form, it should include the identity of the individual and the particulars of the personal data to be corrected. How soon should an organisation respond to a Correction Request? The response time is also 30 days upon receiving the Correction Request. 34 Can an organisation charge any fee for a Correction Request? Unlike an Access Request, there is no provision in the PDPA to impose any fee on a Correction Request. 35 It would appear that an organisation has no legal authority for any fee to be imposed for a Correction Request. When can an organisation reject a Correction Request? First, an organisation need not accede to a Correction Request if the circumstances fall within the Sixth Schedule. 36 For instance, an employee cannot ask an organisation to change its promotion or termination report because that is an opinion data solely for an evaluative purpose. 37 Second, an organisation may deny a customer s request to alter or correct a professional or an expert opinion. 38 For instance, a customer cannot ask his insurance company to correct his medical report submitted by the insurance company s doctor for his life insurance application.third, an organisation may refuse to accede to a Correction Request if it has reasonable grounds why a correction should not be made. 39 It is unclear what would constitute a reasonable ground to justify a refusal to correct an individual s personal data which does not fall within (a) or (b) above. Perhaps an example may be where the request is made by an individual s representative and the authorisation or identity of the representative cannot be verifi ed. What should an organisation do when it refuses to accede to a Correction Request? Does it need to give reasons for its refusal? This is unclear in the PDPA. If an organisation is refusing on the ground of unreasonableness, s 22(5) merely states that the organsation shall annotate the personal data in possession or under its control with the correction that was requested but not made. This is for internal record purpose but it does not address the issue whether the organisation needs to give reasons for refusing to correct the personal data requested. For practical purposes, it is better to disclose the reason for not acceding to the Correction Request. This is consistent with the Hong Kong practice. Offences relating to Correction Request The same offence and penalty relating to Access Request applies to a Correction Request. 40 Practical implications of Access and Correction obligations First, the organisation must set up a formal procedure to handle the regular Access Requests and the Correction Requests. Second, it should design its own Access/ Correction Form. This form should include: the identity of individual persons requesting for access or correction, personal data to be accessed or corrected and the administrative fee (for Access request) etc. 5. The Accuracy Obligation An organisation must make a reasonable effort to ensure that the personal data collected is accurate and complete under certain circumstances discussed below. 41 When must an organisation undertake this obligation? As a general rule, an organisation has no legal obligation to check on the accuracy and completeness of the personal data obtained from an individual. However, there are two instances when an organisation must discharge this obligation. First, it is when an organisation is using the personal data to make a decision that affects the individual (eg his employment or promotion). 42 Second, it is when the personal data is likely to be disclosed by an organisation to another organisation. 43 This would include: re-insurance of life policy, or where personal data of customers collected may be disclosed to the Credit Bureau.

5 33 Feature Practical implication of Accuracy Obligation To comply with this obligation, an organisation must exercise more care when it handles an individual s personal data for these two purposes. 6. The Protection Obligation An organisation must protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modifi cation and disposal. 44 What security arrangement should an organisation have? An organisation should: (i) design and organise security arrangements to fi t the nature of the personal data held by the organisation and the harm that might result from a security breach; (ii) have reliable and well-trained personnel to ensure the information security; (iii) implement robust policies and procedures to ensure appropriate levels of security; and (iv) be prepared and able to respond to any security breach. 45 What types of security arrangements must an organisation have? The PDPA Commission has recommended three types of security measures: (i) adminstrative measures (includes implementing procedures relating to confi dentiality obligations, business continuity plan etc); (ii) physical measures (includes restriction of access by employees, proper disposal etc); and (iii) technical measures (includes securing computer network, encrypting personnel data, access control etc). 46 Practical implication of Protection Obligation When should an organisation cease to retain an individual s personal data? First, an organisation must cease to retain the documents containing personal data or remove the means by which the personal data can be associated with an individual as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served. 47 For instance, when an individual is no longer an employee of an organisation (ex-employee). Second, when the retention is no longer necessary for legal or other business purposes. 48 For instance, when an individual is no longer a customer of an organisation (ex-customer). When would an organisation need to retain personal data for a longer period An organisation may need to keep for a longer period the personal data of a disgruntled ex-customer or ex-employee because these individuals may sue the organisation. It may also need to retain personal data for a longer period under the requirements of other applicable laws. For instance, under The Corruption, Drug Traffi cking And Other Serious Crimes (Confi scation of Benefi t Act) ( CDSA ), an organisation is required to keep certain documents containing a customer s personal data for a minumum of fi ve years after the last transaction. What should an organisation do at the end of the retention period? An organisation must cease to retain the documents containing the personal data of an individual. This means it must remove, delete or erase the document containing the personal data permanently. Alternatively, the organisation may remove the means by which the personal data can be An organisation must establish and implement a security system to prevent any unauthorised access or abuse of the personal data in its possession or under its control. It should provide for regular audit of the security system. It must establish contingent plans and remedial measures in the event there is a breach of the security system. If the security system is outsourced to a third party, its contract must contain contractual binding provisions to ensure the outsourced party is able to comply with the Protection Obligations. 7. The Retention Limitation Obligation An organisation cannot keep the personal data of an individual indefi nitely. Whilst there is no fi xed retention period, it is limited or fi xed by two factors below.

6 Feature 34 associated with an individual. This means to annoymise the identity of the individual. The logic is that if the identity of an individual can no longer be identifi ed, the remaining data no longer constitutes personal data. 49 Hence the PDPA does not apply. Practical implication of Retention Obligation First, an organisation must specify its retention policy and defi ne the retention periods for various classifi cations of personal data (eg customers and employees). Second, it must specify the circumstances in which the personal data may be retained longer than the retention period. Third, it must specify the method of removal of the personal data (physical and digital) or anonymisation (what method). Fourth, there needs to be a regular review to ensure that there is no over-retention of the personal data beyond the Retention Obligation. 8. The Transfer Limitation Obligation An organisation must not transfer any personal data outside of Singapore unless it provides the same standard of protection under the PDPA. 50 This is particularly important when an organisation has to transfer the personal data to its overseas head offi ce, related offi ces or to overseas outsourced parties ( Overseas Party ). How to ensure compliance with the Transfer Limitation Obligation? The PDPC has recommended two ways. 51 First, by entering into a contractual agreement between the organisation in Singapore and the Overseas Party. This contractual route is more suitable where the Overseas Party is a third party (eg Data Intermediary). Second, an organisation may adopt the binding corporate rules approach for inter-corporate rules (eg code of conduct, corporate policies) which are more suited for a multinational group of companies. These legally binding instruments must contain provisions that provide a comparable standard of protection under the PDPA. Practical implications of the Transfer Limitation Obligation The organisation should draft a standard contractual agreement when it transfers personal data to a third party overseas ( Overseas Transfer Agreement ). This agreement should contain all the personal data protection provisions under the PDPA (ie the nine obligations). If the overseas transferee party is a related affi liate of the organisation, it should examine and review that the internal binding corporate rules provided for the personal data protection are comparable to those under the PDPA. 9. The Openess Obligation Basically, an organisation should provide information on its data protection policies, practices and complaints process to the public upon request. Practical implication of Openness Obligation First, an organisation must, in developing its data protection policy and practices, appoint one or more individuals to be the compliance officer(s) under the PDPD ( Data Protection Offi cer ). 52 The contact particulars ( Business Contact Information ) of this offi cer(s) must be made available to the public. 53 Second, an organisation must develop and implement a compliance system to meet its obligations under the PDPA. 54 Third, as part of this compliance system, it must develop a process to handle complaints received from individuals ( Complaint Process ). 55 Fourth, an organisation must make available to the public, upon request, its compliance policies and practices and its Complaint Process. 56 Finally, an organisation must communicate to its employees its compliance policies and practices by conducting internal training. 57 Do Not Call Registry What is the Do Not Call Registry ( DNC Registry ) About? The DNC Registry is set up to protect individuals from receiving unsolicited marketing messages ( Specifi ed Message ) from organisations. An individual can avoid receiving any unsolicited marketing messages from any organisation by registering with any of the three registers ( No Voice Call, No Text message or No Fax ) under the DNC Registry. An organisation must not send any marketing messages to any individual whose name is registered under the DNC Registry. When Did the DNC Registry Commence? The DNC Registry came into operation on 2 January What is the Scope of the DNC Regime? First, the DNC regime only applies to sending marketing messages to Singapore telephone numbers 58 by telephone calls, text messages and faxes. Hence, junk mail stuffed into our letter boxes will not be prohibited. Second, it only applies to local marketing messages (ie both sender and recipient of the message must be in Singapore). 59 Hence, overseas marketing messages received by a receipient in Singapore are not covered. Third, all marketing messages (eg advertisements) relating to the supply and promotion of goods and services are covered under the DNC regime. 60 This would include the sale of all forms of goods, fi nancial products, residential property and supply of services (eg fi nancial services etc). What Does Not Come Within the DNC Regime? The DNC regime does not cover the following messages: it does not cover messages sent by an individual in a personal or domestic capacity. 61 Hence, private phone calls, SMS etc are not covered. Also, any message for conducting market research or market survey is not covered. 62 Third, any message sent to an organisation is not covered. 63

7 35 Feature Hence, B2B messages are not covered. For the rest of the exemptions, please refer to the Eighth Schedule. What are the Duties of an Organisation Under the DNC Regime? There are two statutory duties an organisation must discharge under the DNC regime. 1. Duty to check the DNC Registry. First, an organisation must check the DNC Registry before sending any marketing messages to an individual. 64 It must not send any marketing messages to any individual whose name is registered under the DNC Registry. However, this duty shall not apply where the individual has given clear and unambiguous consent. 65 For instance, if Miss Tan has signed up with a gym and she ticked the yes box in her membership form to receive further information from the gym; this would constitute clear and unambiguous consent. Practical implication An organisation must fi rst register with the DNC Registry to access the DNC Registry to check the DNC registers. 2. Duty to identify itself. Second, an organisation that makes a voice call to an individual regarding a marketing message must identify itself. It must not conceal its calling line identity (eg telephone numbers). 66 The penalty for violation of either of these two duties is a fi ne up to $10, Practical implication An organisation must ensure that all telemarketing messages are made with identifi able telephone numbers. Powers of Commission Complaint to Commission by individual What can an individual do if he is dissatisfied with an organisation for: (i) refusing his Access/Correction Request; (ii) charging on unreasonable fee ; or (iii) taking too long to accede to his Access/Correction Request? The individual can lodge a complaint with the Commission. What Can the Commission Do? Upon receiving a complaint from an aggrieved individual, the Commission will review his complaint. The Commission can take any of the following actions: (i) confi rm the refusal of the Access Request or direct the organisation to provide access to the complainant within such time specifi ed by the Commission; 68 (ii) confi rm, reduce or disallow a fee or direct the organisation to make a refund to the complainant; 69 (iii) confi rm the refusal of the Correction Request or direct the organisation to correct the personal data in such manner and time specifi ed by the Commission. 70 What Other Powers does the Commission Have? If an organisation has failed to comply with Parts III to VI (the nine obligations) of the PDPA, the Commission can give directions to the organisation to: (i) stop collecting, using or disclosing personal data in contravention of the PDPA; (ii) destroy the personal data in contravention of the PDPA; or (iii) pay a fi nancial penalty of an amount not exceeding $1 million. 71 Offences, Penalties and Civil Action Criminal Sanction Any person guilty of an offence under the PDPA (for which no penalty is expressly provided) is subject to a general penalty of a fi ne not exceeding $10,000 or to imprisonment for a term not exceeding three years or to both. If it is a continuing offence, there shall be a further fi ne not exceeding $1,000 per day. 72 The Commission may, in its discretion, compound any offences under the PDPA (except for the DNC offences) by accepting a sum less than half of the maximum fi ne or a sum of $5,000 (whichever is lower). 73 It is also important to note that with regard to an Access/ Correction Request, it is an offence to: (i) evade such a request by disposing, altering, falsifying, concealing or destroying a record containing personal data; (ii) to obstruct or impede the Commission in the exercise of its power or performance of its duties; or (iii) to knowingly or recklessly mislead the Commission. 74 The penalty for an offence under (i) is a maximum fi ne of $5,000 (for an individual) or $50,000 (for an organisation). The penalty for offences under (ii) and (iii) is a maximum fi ne of $10,000 (for an individual) or $100,000 (for an organisation). 75 Civil Action Besides criminal sanction, an organisation faces civil action if it violates Parts IV, V and VI (the nine obligations) under the PDPA. If a person suffers loss or damage directly as a result of a contravention of any of the nine obligations by an organisation, he can sue the organisation for damages or seek an injunction (to stop the collection, use or disclosure of his personal data) in a civil action. 76 For instance, an employee who lost his job because the HR department wrongly refused to allow him to correct his academic qualifi cation may threaten to sue the organisation. Tan Sin Liang S L Tan & Co sltannco@singnet.com.sg

8 Feature 36 Notes 1. Section 3. 2 Section 2. 3 Section 4(b). 4 See definition of personal data in s 2. 5 See definition of business contact information in s 2. 6 Section See Proposed Advisory Guidelines On Key Concepts In The Personal Data Protection Act issued by the Personal Data Protection Commission ( PDPC ) on 5 Feb 2013 ( Key Concepts Guidelines ). 8 Section Section 15(1). 10 Section 15(2). 11 Section 14(1). 12 Section 14(2)(a). 13 Section 14(2)(b). 14 Section Item 1(f), Second Schedule.,1(f), Third Schedule, 1(h), Fourth Schedule. 16 See definition of evaluative purpose in s Item 1(n), Second Schedule. 18 Section Section 20(1)(a). 20 Section 20(1)(b). 21 Section 20(1)(2). 22 Section 21(1). 23 See definition of data intermediary in s Section 21(b). 25 See Proposed Regulations On Personal Data Protection In Singapore by the PDPC, 5 Feb 2013, 3.7 (b)(i) at p 8 ( Proposed Regulations ). 26 Para 3.7 (b)(ii), Proposed Regulations. 27 Section 51(1). 28 Section 51(2). 29 Section 51(3). 30 Section 21(2). 31 Item 1 (a), Fifth Schedule. 32 Section 22(1). 33 Section 22(2 (b). 34 Para 3.7 (b)(i), Proposed Regulations. 35 See Para 3.7(ii), Proposed Regulations. 40 Section 51(1). 41 Section Section 23(a). 43 Section 23(b). 44 Section Para 16.3, Key Concepts Guidelines. 46 Para 16.5, Key Concepts Guidelines. 47 Section 25(a). 48 Section 25(b). 49 See definition of personal data in s Section 26 (1). 51 See Part III, Proposed Regulations. 52 Section 11 (3). 53 Section 11 (4). 54 Section 12 (a). 55 Section 12 (b). 56 Section 12 (d). 57 Section 12 (c). 58 Section Ibid. 60 Section Item 1(b), Eighth Schedule. 62 Item 1(f), Eighth Schedule. 63 Item 1(g), Eighth Schedule. 64 Section 43(1). 65 Section 43(3). 66 Section 45(1). 67 Sections 44(2) and 45(2). 68 Section 28(2)(a). 69 Section 28(2)(b). 70 Section 28(2)(c). 71 Section 29(2). 72 Section Section 55(1). 74 Section 51(3). 75 Section 51(4)(5). 76 Section Section 22(7). 37 Item 1(a), Sixth Schedule. 38 Section 22(6). 39 Section 22(2).