Personal Data Protection Act (PDPA)

What is the Personal Data Protection Act (PDPA)?

The Personal Data Protection Act 2012 (PDPA) is legislation passed by the Singapore government in October 2012 and came into force in 4 stages between January 2013 and July 2014. The act governs the collection, use, and disclosure of personal data.

The PDPA recognizes both:

  • Individuals (natural people, whether alive or deceased) rights to the protection of their personal data; and
  • Organizations (including all corporate entities, such as businesses, and unincorporated bodies, including those founded or residing outside of Singapore) need to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (see below).

Defining Personal Data

Personal data can be defined as any data from which an individual can be identified. It refers to data that can be used for the identification of a person and some other relevant information that one’s organization or business can access.

Here are various examples of personal data from which a person can be identified:

  1. Biometrics of individuals (fingerprints or face geometry);
  2. Name and NRIC number;
  3. Visual of an individual (photograph or video);
  4. Voice of an Individual;
  5. DNA

The PDPA Act 2012 also covers the protection of personal data belonging to a deceased individual (who died within the last ten years). However, only the provisions pertaining to the disclosure and protection of personal data will apply to such personal data.

Personal Data Exemption – What?

There are personal data where PDPA is not applicable which includes:

  1. Personal data which has been recorded and have been stored for 100 or more years;
  2. Personal data of a deceased who has been dead for more than ten years.
  3. Business contact information that is not provided for personal purposes and may include:
    • Name
    • Designation
    • Company phone number
    • Company Email and Address

PDPA Compliance Exception – Who?

PDPA governs the collection, use, and disclosure of personal information by organizations. However, there are exceptions and the following people are exempt from these requirements:

  • Public agency
  • Organizations acting on behalf of public agency
  • Individuals acting in a personal or domestic capacity

During the course of an individual’s employment, one is required to adhere to the policies of their employer to ensure that the organization complies with the PDPA. They cannot, however, be held personally accountable for activities that cause their organization to violate the PDPA.

The data intermediaries are also partially excluded from these obligations.

According to PDPA, a “data intermediary” is an organization that manages personal data on behalf of another organization. Employees of the organization are not included under this description, though (for which the data is being processed).

Your Business’ Data Protection Obligations

Infographic was taken from pdpc

11 obligations under the PDPA are:

  1. Consent obligation – Your Organisation can collect, use and disclose personal data when consent is given to.
  2. Purpose Limitation Obligation – Your Organisation can collect, use and disclose personal data when consent is given for the purposes that a reasonable person would consider appropriate
  3. Notification Obligation – Your Organisation must inform individuals of the purposes for which their personal data is collected for the intended.
  4. Access and Correction Obligation – Your organization is obligated to provide and/or update information upon requests from individuals regarding
    • How their personal information is used or disclosed in the year prior to the request
    • What personal information of theirs is in the organization’s possession or control
    • Correct inaccuracy or omission of an individual’s personal data
  5. Accuracy Obligation – Your organization is obliged to ensure the accuracy of the completion of individual personal data collected. If the personal data is likely to be:
    • used to execute decisions impacting the concerned individual
    • or is disclosed to another organization.
  6. Protection Obligation – Your organization is required to have security measures to safeguard the personal information within its custody or control, as well as the storage medium or devices on which such information is kept. Risks like unauthorized access, acquisition, usage, and/or disclosure of such data are thereby avoided.
  7. Retention Limitation Obligation – Only keep personal data as long as it is required for commercial or legal reasons, according to your organization’s needs.
  8. Transfer Limitation Obligation – Make sure that the transfer complies with the PDPA’s criteria for data protection if your company is sending personal data abroad, such as by storing it in the cloud.
  9. Data Breach Notification Obligation – Your organization is typically required to notify the Personal Data Protection Commission (PDPC) and affected persons of a data breach if it has affected at least 500 people or has caused (or is likely to cause) significant harm to the affected individuals.
  10. Accountability Obligation – To fulfill the organization’s PDPA requirements,  policies and processes must be put in place and made available to the general public.
  11. Data Portability Obligation* – Organizations are expected to transfer data on an individual that is in their custody to another organization in a generally used machine-readable format upon the request of the individual.

*This will take effect when the regulations are issued.

Practical Implementations of PDPA Obligations

What is the extent an organization can collect personal data?

Your organization may gather, use, or disclose the following types of personal information about a person in accordance with the Purpose Limitation Obligation (see above):

  • Only for reasons that a reasonable person in the circumstances would deem acceptable; and
  • In accordance with the Notification Obligation (see above), your company has notified the person of these reasons when relevant.

What exactly qualifies as “circumstances deem acceptable”?

When deciding whether the aim of such collection, use, or disclosure of personal data is legitimate, specific circumstances must be taken into account.

For instance, a reasonable person is unlikely to think that an objective that violates the law or would cause harm to the individual in question is suitable.

Ensuring compliance with PDPA obligations

Important factors to take note of for businesses that collect personal information of individuals on a regular basis:

What personal data is being collected?

In order to fulfill the Protection Obligation, knowing the personal data collected can help you better understand the protective measures that are required and determine if the goals for which the data is being gathered are being met.

What are the objectives of collecting personal data?

By keeping in check the primary purposes of data collection, the business can adhere to the Purpose Limitation Obligation as well as the Retention Limitation Obligation.

Who is responsible for the collection of personal information?

Only authorized personnel with adequate training on PDPA should be part of the collection process. The appointment personnel can then fulfilled  Notification Obligation and the Consent Obligation.

How and Where the personal data is stored?

Methods to ensure the data are stored securely so that the organization adheres to the Protection Obligation.

To whom the personal data is disclosed?

Even if your organization is required to grant access to personal information upon request, you should nonetheless confirm the requester’s identity. By, for instance, requiring acceptable identity documents prior to granting such access. Thus, unintentional disclosures of personal information would be avoided. This step is in place to comply with the Protection Obligation and the Access and Correction Obligation.

1. Implementation of the protective data measures

Establishing personal data protection policies and disseminating them to your staff are essential steps in ensuring that your organization complies with the Protection Obligation. For instance, putting physical and technical measures.

    • Physical Measures: Limiting access to personal information to authorized staff and holding physical records—such as printed records including employees’ NRIC numbers and home addresses—in a secure area. For instance, a lockable file cabinet.
    • Technical Measures: Computer systems where the data is stored should have reliable anti-virus software set up and keep a strong password for electronic files holding personal data.

2. Using tools to evaluate the PDPA compliance of your organization

To determine the areas where your company is not PDPA compliant, you may find the PDPA Assessment Toolkit on the PDPC website useful.
It offers a facilitated questionnaire about the rules and practices for protecting personal data at your company. It can consequently act as a convenient checklist for your company’s PDPA compliance.

3. Appointment of a Data Protection Officer

The PDPA requires your organization to a DPO, whose duty is to make sure business adherence to all the obligations. Your DPO is also required to review and update business policies in accordance to the changes of the data protection laws. Lastly, he also serves as a point of contact for individuals to who have questions about your organization’s PDPA policies.

Get in touch with Elitez Data Protection, if you do not know where to start.

4. Consequences of Violations of the PDPA

If it is determined that your company is not in compliance with the PDPA, the PDPC may:

    • Impose a monetary fine of up to $1 million
    • Order your organisation from collecting, using and disclosing any personal data in violation of the PDPA.
    • Order your organisation to delete any personal information obtained in violation of the PDPA
  • Read more about the recent enforcement decision from the pdpc here.

Considerations for your business, if you Collect, Use or Disclose personal data

  • If your organization uses the cloud to store personal data, you must take the necessary precautions to guarantee that the PDPA’s data protection requirements are followed.
  • If your company sends out email newsletters, you should make sure that the PDPA and other related regulations are followed in the development, transmission, and administration of your subscriber list.
  • If your company engages in telemarketing, you should make sure that all applicable laws, including those pertaining to the Do Not Call (DNC) Registry, are followed. Under the PDPA’s DNC regime, organizations are not allowed to send marketing messages to Singapore numbers that are listed on the DNC Registry.
  • Whether your business maintains physical or electronic records, the data must be properly disposed of in accordance with the PDPA.
  • Organizations are also prohibited from collecting, using, or disclosing NRIC numbers or making copies of people’s NRICs unless authorized by law or is necessary to confirm a person’s identification with a “high degree of fidelity.”

Understanding the organization’ PDPA duties is crucial to preventing personal data thefts, leaks, and the financial penalties that follow.

Consider sending your team for training with us today on Fundamentals of the Personal Data Protection Act (2020), our trainer is accredited by PDPC. Anyone that handles personal data should attend this course.