'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

Singapore Personal Data
Protection Act, 2012

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. There are two main sets of provisions in the PDPA; provisions related to ‘Data Protection’ govern the collection, use, and disclosure of individuals' personal data, and the provisions pertaining to Singapore’s national ‘Do Not Call Registry’ set out the organisation’s obligations in relation to sending marketing messages to Singapore's national phone numbers.

The Personal Data Protection Regulations 2014, issued under the PDPA, specifically lay down the data transfer out of Singapore requirements, and the procedure of data access and/or correction requests from individuals. Singapore has recently introduced new extensive amendments to PDPA through the Personal Data Protection (Amendment) Act 2020

Definition of Personal Data under the PDPA

  • The PDPA defines 'personal data' as ‘data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.’ All types of personal data come under the ambit of the PDPA, whether it is electronic data or nonelectronic, and regardless of its sensitive nature.
  • ‘Anonymised data' does not come under the scope of the PDPA.

 

Data Subjects’ Rights Under the PDPA

‘Anonymised data' does not come under the scope of the PDPA.

  • The right to give and withdraw consent at any time by giving reasonable notice, unless it jeopardizes the performance of a legal obligation;
  • The right to request an organisation to provide them with access to their personal data held by the organization and information about the ways in which their personal data is being processed subject to the exceptions in the Fifth Schedule of the PDPA;

 

  • The right to request an organisation to correct any inaccurate data held by the organisation subject to the exceptions in the Sixth Schedule of the PDPA;
  • The right to portability is a new data subject right added to PDPA through the aforementioned new amendments. Under this right, data subjects can request the transmission of their data to another service provider provided with certain requirements and exceptions.

 

Organisations’ Obligations under PDPA

Organisations that handle and control personal data must comply with the following obligations stated under Part III to VI of the PDPA.

  • An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.
  • An organisation must cease to retain documents containing personal data, or remove the means by which the personal data is collected once the purpose is fulfilled for which data is collected.
  • Organisations are responsible for the personal data processed on their behalf by other parties/contractors (data intermediaries). It indicates that the organisation may be held liable for any non-compliance with this provision by the data intermediaries. 
  • An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Organisations must also appoint a Data Protection Officer to ensure compliance with the PDPA.
  • An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

 

Mandatory Data Breach Notification Requirement

  • Through new amendments to PDPA in 2020, Singapore has introduced the mandatory requirement for the organizations to notify the PDPC and affected individuals of a data breach that

    • results in, or is likely to result, in significant harm to the affected individuals; or
    • is of a significant scale.
  • Organisations will also be required to notify affected individuals if the data breach is likely to result in significant harm to them. Where an organisation has reason to believe that a data breach has occurred, it must conduct, in a reasonable and expeditious manner, an assessment to assess whether it is a notifiable data breach or not.

Who must comply with PDPA?

PDPA covers any organisation that deals with the collection, use, and/or disclosure of personal data from individuals in Singapore, whether the organisation is located in Singapore or not. However, this Act does not cover the following:

Any individual acting in a personal or domestic capacity;

Any employee acting in the course of his or her employment with an organisation;

Any public agency; and

Any organisation in the course of acting on behalf of a public agency in relation to the collection, use, or disclosure of personal data.

Non Compliance Risks

As per Part II of the PDPA, Personal Data Protection Commission (PDPC) is the regulatory body to enforce the provisions of PDPA. The PDPC is empowered with broad discretion to issue remedial directions, initiate investigation inquiries, and impose fines and penalties on the organisations in case of any non-compliance of PDPA.

1

If organisations misuse the personal data or hide information concerning its collection, use, or disclosure, PDPA states penalties not exceeding S$50,000 (approx. $36,000).

2

Penalty for hindering a PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). The PDPA states that companies are also liable for their employees’ actions, whether they are aware of them or not.

3

New amendments to PDPA have enforced increased financial penalties for breaches of the PDPA up to 10% of annual gross turnover in Singapore, or S$ 1 million, whichever is higher.

4

Non-compliance with specific provisions under the PDPA may also constitute an offense, for which a fine or a term of imprisonment may be imposed.

5

An individual can bring a private civil action against an organisation for having suffered loss or damage directly due to a contravention of the provisions of the PDPA.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Automating Compliance and how Securiti can help?

Given the complex obligations for the organisations to manage the disclosure, access, and modification requests of the individuals, ensuring the effective security measures, fulfilling data breach notification requirements, and other compliance requirements, complying with the PDPA can be very labor-intensive and costly.

Securiti is the leader in AI-powered PrivacyOps and data governance. Similar to DevOps for software, PrivacyOps reimagines how to implement privacy management throughout an organisation efficiently.

Securiti is a recognized innovator in this market, having been awarded "Most Innovative Startup" at RSA Conference 2020, and Leader in the Forrester Wave: Privacy Management Software. Securiti's PrivacyOps solution uniquely combines real-time sensitive data intelligence harnessing bot and AI technology with full workflow automation of all the major privacy compliance functions.