Countries worldwide are intensifying their focus on data privacy in response to widespread demands for increased protection, similar to the General Data Protection Regulation (GDPR). Hence, Singapore is no exception. In 2020, the country updated its Personal Data Protection Act (PDPA) to enhance its commitment to safeguarding individuals’ data.
In this article, we guide you through Singapore’s key Personal Data Protection Act (PDPA), which ensures organisations take ownership of personal data.
What is the Personal Data Protection Act in Singapore?
The Personal Data Protection Act (PDPA) was enacted in Singapore on 15 November 2012 and came into effect on 2 July 2014. The PDPA regulates the collection, use, and disclosure of personal data by organisations to safeguard individuals’ privacy.
Starting in 2020, amendments to the PDPA have been implemented in various stages through the Personal Data Protection (Amendment) Act 2020. The act, effective 1st February 2021, mandates
- Notification in case of data breach
- Introduces criminal offences
- Broadens the scope of deemed consent
- Adds exceptions to the obligation of obtaining express consent
What is Personal Data?
Under Personal Data Protection Singapore, “personal data” means data, whether true or not, about a customer who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access. These include but not limited to:
- Name
- National Residential Identity Card number
- Passport number
- Photograph or video image of an individual
- Mobile telephone number
- Personal email address
- Thumbprint
- Residential address
The PDPA does not apply to business contact information unless it’s provided solely for personal purposes. Additionally, “Anonymized data” falls outside the scope of data protection.
Important Requirements Under PDPA
As per the Personal Data Protection Committee of Singapore (PDPC), companies must adhere to three key considerations regarding data protection obligations under the PDPA: focus.
- Personal data collection
- Personal data care
- Right of an individual over personal data
What Are the 11 Data Protection Obligations?
There are 11 data protection obligations to safeguard personal data entrusted to you by your customers and employees. It includes the following.
Accountability Obligation
Corporations must take on methods to fulfil their obligations under the PDPA. They must also designate a Data Protection Officer (DPO) and make company contact information publicly accessible.
Notification Obligation
Companies must inform customers of the specific purposes for which they intend to collect, use, or reveal their data.
Consent Obligation
Businesses must only collect, use, or reveal personal data for the purposes that the person has consented to.
The individual must be able to withdraw consent with a reasonable notice period while being informed of any consequence of doing so. After permission is withdrawn, the company must stop any activity of collecting, using, or disclosing personal data.
Purpose Limitation Obligation
A company must only use, collect, or reveal an individual’s personal data for appropriate purposes when consent is provided.
Moreover, it cannot request that the person allow the use, collection, or disclosure of personal data beyond reasonable limits as a condition of delivering a product or service.
Accuracy Obligation
Companies must make a reasonable effort to make sure that the personal data they collect is whole and precise. This is especially so if the data is highly likely to be used to make a choice that affects the customer or will be revealed to another business.
Protection Obligation
Organisations must ensure that they undertake reasonable security arrangements to safeguard the personal data in their possession. This is to avoid risks like unauthorised access, use, collection, or disclosure of personal data.
Retention Limitation Obligation
Companies must stop withholding personal data or get rid of it properly when it is not needed for any business or lawful reason.
Access and Correction Obligation
Organisations must provide individuals with access to their data and details on how it was used or revealed within 1 year from the date of request.
They must also rectify any error or omission in the personal data as soon as possible. After which, they must send the updated data to other organisations, where it was disclosed within 1 year.
Data Breach Notification Obligation
When a data breach occurs, associations must implement ways to determine if it has to be notified. If this breach substantially harms individuals, they must inform the Personal Data Protection Commission (PDPC) Singapore and the affected people as soon as possible.
Data Portability Obligation
When requested, companies must transfer an individual’s data to another organisation in a machine-readable, frequently used format.
Consequences of Failing to Comply With the PDPA Regulations
In accordance with the Singapore Personal Data Protection (Amendment) Bill, organisations can be fined up to S$1 million or 10% of their annual Singapore’s revenue for not complying with the PDPA. Moreover, your company may no longer be able to disclose personal data, use, or collect it.
Specifically, in accordance with the PDPA, all organisations must adhere to the Do-Not-Call Provisions and meet the following nine obligations:
How to Comply with Singapore’s PDPA?
If you handle personal data in Singapore or of Singaporean data subjects, you must comply with particular obligations outlined in Parts III to VI of the PDPA.
- Companies must develop and enforce policies and procedures to meet data protection obligations, which should be publicly accessible.
- Organisations must delete, anonymise, or eliminate means of collecting personal data once the initial purpose is fulfilled. They are also obligated to address data subject requests within statutory rights.
- Every organisation is responsible for processing personal data on their behalf by data intermediaries. Consequently, they may be held liable if these intermediaries fail to comply with the PDPA.
- Companies must protect personal data by implementing security measures to prevent unauthorised access, use, or disclosure. It is recommended to appoint one or more Data Protection Officers (DPOs) to oversee PDPA compliance.
- Adhere to Mandatory Data Breach Notification Requirements once the breach is assessed and identified as a notifiable breach.
- Companies must ensure that data transferred outside Singapore complies with PDPA requirements while in their custody. Exceptions apply when recipients are bound by legally enforceable obligations similar to the PDPA.
Enforcement of Singapore’s PDPA
In June 2022, the Commission issued fines of S$750,000 and S$250,000 — the largest fines to date — on Integrated Health Information Systems and Singapore Health Services. These fines were imposed due to insufficient safeguards for safeguarding the medical records of data subjects, leading to a significant data breach from a cyberattack.
Criminal Penalty
Companies with significant data breaches may face substantial financial penalties or criminal liability, potentially leading to imprisonment. Mitigating factors, such as early detection and response or prompt data breach notification, and aggravating factors, like non-cooperation during investigations, will be taken into account.
Civil Liability
In cases of data breach, companies may be held liable to individuals who suffer harm. These individuals can pursue the reliefs: an injunction, damages, or any other orders, reliefs, or declarations deemed necessary by the court.
Appointment of Data Protection Officer (DPO)
Under the PDPA, the appointment of a Data Protection Officer (the “DPO“) is mandatory when the company/organisation is collecting personal data in the course of carrying out its business operations. A DPO of your company can be one individual or a team (either an employee or externally appointed) to ensure its compliance with the PDPA. Primarily, the role of the DPO includes the following:
- Develop and implement processes and policies for the handling of personal data;
- Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
- Manage queries and complaints regarding your business’ protection of personal data;
- Alert management of any risks of data protection which may arise;
- Data breach management;
- Liaise with the Personal Data Protection Commission (PDPC) on data protection matters, where necessary
Stay PDPA Compliant With InCorp’s Advisory Solutions
It is vital to comply with the different PDPA obligations to ensure that your business is not penalised. Engage our PDPA professionals who are ready to help assess and manage your PDPA needs today!
Frequently Asked Questions About PDPA in Singapore
- The PDPA encompasses all electronic and non-electronic personal data, whether true or false.
- Yes, it applies to all organisations, including public agencies, private companies, sole proprietorships, partnerships, and associations that collect, use, or disclose personal data.
- Both the living and deceased’s personal data are protected under the PDPA. However, those deceased for at least 10 years are excluded from the Personal Data Protection Act. It also does not apply to personal data maintained in a record that has existed for a minimum of 100 years.
- When transferring personal data abroad, companies must take reasonable measures to ensure it's protected as per the PDPA. This might involve requiring overseas recipients to contractually commit to safeguarding the data in line with data protection standards.
Get our expert advice on PDPA matters for your company!
About the Author
