An Overview of Singapore’s Personal Data Protection Act (PDPA) of 2012

Introduction

Singapore enacted the Personal Data Protection Act ("PDPA") in 2012, which came into force in different phases. There are two main sets of provisions in the PDPA. The first are the provisions related to ‘Data Protection’ that govern the collection, use, and disclosure of individuals' personal data that were enforced on 2nd July 2014. The second set of provisions pertains to Singapore’s national ‘Do Not Call Registry’ that sets out an organization’s obligations concerning sending marketing messages to Singapore's national phone numbers.

The Personal Data Protection Regulations 2014 (Regulations), issued under the PDPA, specifically lay down the cross-border data transfer requirements and the procedure of data access and/or correction requests from individuals. Singapore further introduced new extensive amendments to the PDPA through the Personal Data Protection (Amendment) Act 2020.

Who Needs to Comply with PDPA

Material Scope

The PDPA applies to the collection, use, and disclosure of personal data of an individual. The law defines personal data as any information that can be used to identify an individual. Unlike most global regulations, the PDPA doesn’t provide a more detailed definition of personal data, nor does it provide any other categories of personal data, such as sensitive personal data. Hence, the PDPA applies to personal data in a broader manner.

Territorial Scope

The provisions of the PDPA apply to organizations situated in Singapore and collecting, using, or sharing personal data within Singapore. They also apply to organizations outside of Singapore that process data of customers in Singapore or track their online activities within Singapore.

Definition of Key Terms

Personal Data

The PDPA defines personal data as any data through which an individual can be identified.

Derived Personal Data

It refers to information about an individual that an organization obtains from other personal data it already has, either about that individual or someone else. However, it doesn't cover personal data derived using specific methods or means.

Data Intermediary

It is defined as an organization that possesses the personal data of an individual on behalf of another organization that possesses or controls the data.

Obligations for Organizations under PDPA

Consent Requirements

The PDPA provides a detailed set of requirements for consent acquisition, management, and withdrawal. It requires organizations to obtain consent from an individual for the collection, use, or disclosure of their personal data. However, an organization may collect, use, or disclose an individual’s personal data without consent if it is required or authorized by the provisions of the PDPA.

Consent is not deemed given unless the individual is provided with a Notification of Purpose that informs the individual about the purpose of the collection, use, or disclosure of their data. Consent would be deemed invalid if it is obtained by providing a condition to the individual of offering a product or service or through false or misleading information.

Deemed Consent

A consent is considered “deemed consent” if an individual is deemed to have consented voluntarily to the collection, use, or disclosure of their personal data for a specific purpose. Similarly, if an individual has given or is deemed to have given consent for the disclosure of their personal data to another organization, it will be considered valid consent for the collection and use of personal data by the other organization.

An organization must conduct an assessment before collecting, using, or disclosing the personal data of an individual to determine if the disclosure is not likely to have an adverse impact on the individual. The organization must further inform the individual about the intent and purpose behind the collection, use, or disclosure of their personal data and a time limit within which an individual may notify the organization that they do not consent to the proposed processing of their personal data.

Consent Withdrawal

An individual has the right to provide reasonable notice to an organization and withdraw their consent from the collection, use, or disclosure of their personal data for any purpose. Upon receiving the withdrawal request, the organization must inform the individual about any consequences of their consent withdrawal. More importantly, the organization must further cease to collect, use, or disclose the personal data of the individual unless otherwise authorized or required by the Singapore PDPA.

Purpose Limitation Requirements

The PDPA requires organizations to limit the collection, use, and disclosure of personal data, balancing the individual's right to safeguard their information with the legitimate needs of organizations to handle personal data for purposes deemed reasonable by an average person, given the circumstances.

Privacy Notice Requirements

Organizations are required to create and maintain a Notification of Purpose, which is akin to a Privacy Policy, as mentioned in other global data privacy and protection laws. The Notification of Purpose should include the following information:

• The data collection, usage, or disclosure purposes on or before the collection of personal data.
• Purpose of the use or disclosure of personal data for purposes other than those informed initially to the individual.
• At the individual's request, the organization shall provide the contact information of an individual who can answer the questions raised by the individual about whom the personal data is collected, used, or disclosed.

The PDPA goes a step further and provides a separate provision for lawful disclosure between organizations. It requires that if an organization collects an individual’s personal data from another organization without the individual’s consent, it must provide a notification of purpose to organization B for it to review the notification and decide if such disclosure is lawful under the PDPA.

An organization may not be required to provide a Notification of Purpose if it has collected, used, or disclosed an individual’s personal data without their consent under Section 17 or if the individual is “deemed to have consented” for the collection, usage, and disclosure of personal data.

For employment purposes, the law requires organizations to inform individuals about the purpose of collecting, using, or disclosing their personal data and provide them with the information of a business contact who can answer the individual’s questions regarding the collection and processing of personal data.

Data Accuracy & Completion Requirements

The PDPA requires organizations to ensure the accuracy and completeness of an individual’s personal data if that data is to be used for decision-making purposes affecting the concerned individual or is likely to be shared with another organization.

Data Security Requirements

Section 24 of the Singapore PDPA requires organizations to ensure “reasonable” data security measures to prevent unauthorized access, copying, duplication, disclosure, modification, or disposal of data.

Data Retention Requirements

Organizations must cease to retain the personal data of individuals or remove the elements from the personal data that could otherwise be used to identify an individual if the organization believes that the retention is no longer necessary to serve the purpose for which the data was collected, or there’s no legal requirement.

Cross-border Data Transfer Requirements

Organizations are restricted from transferring individuals' personal data outside Singapore unless it is made sure that the receiving organization provides the same level of data protection as provided under the Singapore PDPA. However, an organization may file a notice of exemption in writing to the Commission to transfer personal data without any restrictions. The Regulations elaborate further on cross-border data transfer requirements.

Data Breach Requirements

Organizations are required to provide data breach notifications to the Commission and the affected individuals if they deem that the data breach would result in or likely to result in significant harm to an affected individual or if it is of a significant scale. An organization may deem a data breach to result in significant harm to the individual if the breach is associated with prescribed personal data or a class of personal data.

Similarly, if a data intermediary has reasons to believe that a data breach has occurred, it must provide a notification to the organization without undue delay, and the organization must perform an assessment upon receiving the notification.

In the event a notifiable data breach has been detected by an organization, it must provide a breach notification to the Commission as soon as possible or no later than 3 calendar days. After providing a notification the the Commission, the organization must further provide a notification to the affected individual where the notification should contain all the information prescribed under the PDPA.

Data Subject Rights

Right to Access

On request by an individual, your organization is required to provide the individual with personal data about the individual that is in the possession or under the control of your organization and information about the ways in which the personal data has been used or may have been used or disclosed by your organization within a year before the date of the request unless an exception or prohibition applies. The PDPA also provides a set of exemptions to some types of personal information under the Fifth Schedule. The exemptions include:

• Information that is kept by an arbitral institution for arbitration purposes.
• Documents that are related to prosecutions.
• Personal data subject to legal privileges.
• Data that could reveal the confidential information of an organization, harming its competitive position.
• Data that could interfere unreasonably with the operations of the organization.

Apart from those exemptions, an organization must not provide individual access to personal data if it has reasons to believe that the exposure would threaten the safety of another individual, reveal the identity of another individual, or cause immediate harm, either physically or mentally, to the individual making the request.

Should an organization choose not to provide an individual with access to their data according to any Section of the law, it must inform the individual regarding the rejection within the prescribed time and instructions. Part II of the Regulations elaborates further on data access requests.

Right to Rectify

An individual has the right to submit a request to your organization to correct an error or omission in the individual’s personal data that is in the possession or under the control of your organization.

Right to Information

Individuals have the right to know how their personal data is being collected, used, or shared. Organizations are required to inform individuals about the purposes for which their personal data will be used before collecting it.

Right to Opt-Out

Individuals may, at any time, on giving reasonable notice to your organization, withdraw any consent given or deemed to have been given under the PDPA in respect of the collection, use, or disclosure of their personal data for any purpose by your organization.

Right to Correction

An organization, unless it has reasons to believe that a correction shouldn’t be made, must entertain the right to correction of an individual and correct any error or omission in their personal data. The organization must further forward the corrected personal data to another organization to whom the data was shared within a calendar year after the request has been made. In the event the organization doesn’t make the correction, it must annotate the personal data for which the correction request was made.

The right to correction is subject to some exceptions as presented under the Sixth Schedule of the Act. For instance, the right to correction doesn’t apply to derived personal data, a document that contains personal data associated with prosecutions, or the personal data of the beneficiaries of a private trust.

PDPA requires organizations to preserve a copy of an individual’s personal data for not less than the prescribed period to ensure its accuracy and completeness. Part II of the Regulations elaborates further on data correction requests.

Regulatory Authority

The Personal Data Protection Commission is designated as a regulatory body that is responsible for the administration and enforcement of the PDPA. Its other responsibilities include:

• The promotion and awareness of data protection in Singapore.
• Providing consultancy and other assistance associated with data protection.
• The representation of the government internationally.
• Consulting the government in all matters related to the Data Protection Act.

Penalties for Non-Compliance

The PDPA outlines the following penalties in case of non-compliance:

• Organizations whose annual turnover in Singapore exceeds S$10 million are subject to a financial penalty of 10% of that turnover for violating the provision of Part 3, 4, 5, 6, 6A, or 6B of the PDPA. In any other case, the penalty is S$1 million.
• The financial penalties for breaches of the Do Not Call Provisions can be up to S$1 million for organizations and up to S$200,000 for individuals.
• Contravention of certain provisions can also lead to imprisonment, these include unauthorized disclosure of personal data, improper use of personal data, or unauthorized re-identification of anonymized data.

How Can Organizations Operationalize Singapore’s PDPA

Organizations can streamline and simplify their PDPA compliance efforts by considering the following best practices.

• It is imperative to establish and maintain transparent and clear procedures and policies for the processing of personal data in line with the Singapore PDPA requirements.
• Provide clear and updated Notification of Purpose and an automated consent notice to individuals communicating the purpose of personal data collection, use, and disclosure.
• Provide the individuals with a simplified mechanism to process lawful data subject requests.
• Provide proper training to personnel who deal with personal data management.
• Establish controls and policies associated with appropriate technical and organizational security measures for data protection.

How Securiti Can Help

Organizations can simplify their data compliance operations and management with Securiti PrivacyOps, an integration of the Data Command Center. The solution leverages contextual data and AI insights to enrich its knowledge graph with rich metadata associated with data, controls, policies, processes, and regulatory intelligence, providing you with a single source of truth to derive your data security, privacy, governance, and compliance obligations.

Request a demo to learn more.

Frequently Asked Questions (FAQs)