Data breaches among corporations have been occurring over the years.
When this happens, firms can face substantial fines, especially since the recent changes to Singapore’s data protection laws last year. How are consumers’ personal data safeguarded in Singapore, and why is it essential to do so?
In this article, we guide you through Singapore’s key Personal Data Protection Act (PDPA), which ensures organisations take ownership of personal data.
Related Read: Personal Data Protection in Singapore »
What is the Personal Data Protection Act (PDPA) in Singapore?
The Personal Data Protection Act (PDPA) was enacted in Singapore on 15th November, 2012. It came into effect on 2 July 2014. The PDPA regulates the collection, use, and disclosure of personal data by organisations to safeguard the privacy of individuals.
This guide provides an overview of the key requirements of the PDPA and will be updated as new developments arise.
Related Read: The Importance of Data Protection »
What is Considered Personal Data?
Personal data includes data on an individual who can be identified through that data. It can also include such personal data and other information that a company is likely to have access to.
Here are some examples of personal data:
- Date of birth
- Phone number
- Residential address
- Photograph of the individual
- Voice of the individual
- National registration identity card number (NRIC)
What is Covered Under the PDPA?
The PDPA encompasses all electronic and non-electronic personal data, whether true or false.
Is the PDPA Mandatory in Singapore?
Yes, it applies to all organisations, including public agencies, private companies, sole proprietorships, partnerships, and associations that collect, use, or disclose personal data.
Who is Excluded From the PDPA?
Both the living and deceased’s personal data are protected under the PDPA. However, those deceased for at least 10 years are excluded from the PDPA’s protection.
It also does not apply to personal data maintained in a record that has existed for a minimum of 100 years. Neither does it apply to business contact information, which includes an individual’s name, business title, business telephone number, and business electronic mail address.
What Are the 11 PDPA Obligations?
What are the PDPA obligations that organisations must comply with?
|Collection of Personal Data||Care of Personal Data||Individual’s Autonomy Over Personal Data|
|Notification||Accuracy||Access and Correction|
|Consent||Protection||Data Breach Notification|
|Purpose Limitation||Retention Limitation
Corporations must take on methods to fulfil their obligations under the PDPA. For example, information must be made available when requested. You must also designate a Data Protection Officer (DPO) and make your company contact information publicly accessible.
Companies must inform customers of the specific purposes for the intention to collect, use, or reveal their personal data.
Businesses must only collect, use, or reveal personal data for the purposes that the person has consented to.
The individual must be able to withdraw consent with a reasonable notice period while being informed of any consequence of doing so. After permission is withdrawn, you must stop any activity of collecting, using, or disclosing personal data.
Purpose Limitation Obligation
You must only use, collect, or reveal an individual’s personal data for appropriate purposes in the situation where consent has been provided.
You cannot request that the person allow the use, collection, or disclosure of personal data beyond reasonable limits, as a condition of delivering a product or service.
Companies must make a reasonable effort to make sure that the personal data they collect is whole and precise. This is especially so if the data is highly likely to be used to make a choice that affects the customer or will be revealed to another business.
Organisations must ensure that they undertake reasonable security arrangements to safeguard the personal data in possession. This is to avoid risks like unauthorised access, use, collection, or disclosure of personal data.
Retention Limitation Obligation
Companies must stop withholding personal data or get rid of it properly when it is not needed for any business or lawful reason.
Transfer Limitation Obligation
You can only transfer personal data to another country according to the guidelines stated under regulations. This ensures that the standard of protection can be compared to the PDPA’s protection unless not required by the PDPA.
Access and Correction Obligation
Organisations must provide individuals with access to their personal data and details on how it was used or revealed within 1 year from the date of request.
They must also rectify any error or omission in the personal data as soon as possible. After which, they must send this data to other organisations where it was disclosed within 1 year before making the correction.
Data Breach Notification Obligation
When a data breach occurs, associations must implement ways to determine if it has to be notified. If this breach leads to substantial harm to individuals and is large, they must inform the Personal Data Protection Commission (PDPC) and the affected people as soon as possible.
Data Portability Obligation
When requested, companies must port over an individual’s personal data under its possession or control to another organisation. It must be in a frequently used format that is machine-readable.
Tips to Stay Compliant With the Personal Data Protection Act
You can implement some measures to help ensure that you remain compliant with the PDPA requirements.
For example, you should regularly keep track of these aspects:
- The type of personal data collected: Knowing the personal data collected allows you to make better decisions around data protection
- The purpose(s) of the personal data being collected
- The person collecting the personal data: Only someone who is authorised and who has obtained suitable training in PDPA should take part in the collection process
- The location in which the personal data is stored
- Who the personal data is revealed to: Before you disclose personal data, you should always verify the identity of the person you are disclosing it to. One way to do so is to ask for verification documents
It is also necessary to use data protection policies to ensure that you are compliant with the data protection obligations. They could be physical or technical measures, like providing personal data only to authorised personnel and securing physical records appropriately.
You can also install robust anti-virus software on your computer systems to avoid information from being leaked online. In addition, it is compulsory to engage at least 1 Data Protection Officer (DPO) to oversee personal data collection, use, and disclosure.
These are some of a DPO’s responsibilities:
- Responsible for ensuring compliance with the PDPA
- Responsible for reviewing and updating your firm’s personal data protection policies and processes
- Acts as a point of contact for people to connect with your company for PDPA-related matters
What Are the Consequences of Failing to Comply With the PDPA Regulations?
Businesses in Singapore are accountable for their PDPA compliance.
If a corporation fails to adhere to the compliance requirements, an individual may file a complaint to the PDPC. The PDPC will investigate the matter.
If your business is found to be non-compliant, you can expect these penalties:
- A financial penalty of up to S$1 million
- A financial penalty of 10% of the firm’s turnover in Singapore if annual turnover exceeds S$10 million
- Your company may no longer be able to disclose personal data, use, or collect it
- Your business may be required to destroy personal data collected
Stay PDPA Compliant With InCorp’s Advisory Solutions
It is vital to comply with the different PDPA obligations to ensure that your business is not penalised. Engage our PDPA professionals who are ready to help assess and manage your PDPA needs today!
Frequently Asked Questions About PDPA in Singapore
- The PDPA protects individuals’ personal data and ensures it is not misused or collected without consent.
- These are some examples of personal data:
- Passport number
- NRIC number
- Individual’s photo
- Phone number
- The Personal Data Protection Act covers both electronic and non-electronic (physical) personal data.