Singapore PDPA governs the collection, use, and disclosure of personal data. Private companies that fail to comply with the PDPA may face significant fines and serious reputational harm.
The Singapore Personal Data Protection Act 2012 (PDPA) is a law that governs the collection, use and disclosure of personal data by all private organizations. The Act came into full effect on July 2, 2014 and was recently updated with new amendments that came into effect on November 2, 2020. Organizations that fail to comply with the Singapore PDPA can be fined up to $1 million and suffer reputational damage.
The Singapore PDPA generally applies to all private organizations with respect to the personal data of individuals that they collect, use or disclose.
However, certain organizations are exempt from the Singapore PDPA:
➤ Individuals acting in a personal or domestic capacity
➤ Employees acting in the course of their employment with an organization
➤ Public bodies
➤ Any other organization or personal data, or classes of organizations or personal data that may be prescribed
Government agencies are not subject to the requirements of the Singapore PDPA, as they have their own set of data protection rules with which all public officials must comply. That said, this exemption does not extend to private sector organizations working on behalf of government agencies.
What is the territorial coverage of the Singapore PDPA?
The PDPA applies to organizations with a presence in Singapore but also to organizations without a physical presence in Singapore, as long as those organizations collect, use or disclose data in Singapore. For example, organizations located overseas that collect data from individuals in Singapore via online channels or platforms will be subject to the data protection provisions under the Singapore PDPA.
In addition, an organization that transfers personal data to its parent company or subsidiary will be subject to the data protection provisions.
Organizations involved in the cross-border transfer of personal data from Singapore to overseas locations are also subject to the data protection provisions.
What is the material scope of the law?
The Singapore PDPA regulates the collection, use and disclosure of personal data by organizations. The Singapore PDPA expressly excludes from its application the following categories of personal data:
➤ "Business contact information," which is defined as "an individual's name, job name or title, business e-mail address or fax number, and any other similar information about the individual, not provided by the individual solely for personal purposes," unless specifically mentioned in the PDPA.
➤ Personal data contained in a record that has existed for at least 100 years.
➤ Personal data about an individual who has been deceased for more than 10 years.
Who is the enforcement authority for the PDPA?
The PDPC is the regulatory authority responsible for implementing the Singapore PDPA. The PDPC’s main powers, duties and responsibilities are to:
➤ Promote data protection awareness in Singapore
➤ To provide advisory, consultancy, technical, management or other specialized services in relation to data protection
➤ Advise the Government of Singapore ("the Government") on all matters relating to data protection
➤ Representing the Government at the international level on data protection matters
➤ Conducting research and studies, promoting educational activities related to data protection
➤ Manage technical cooperation and exchanges in the field of data protection with other organizations
➤ Administer and enforce the PDPA
➤ Performing the functions conferred on the PDPC under any other written law
What are the data protection principles imposed by the law?
The Singapore PDPA imposes the following obligations on organizations with respect to their data activities:
1. Consent Requirement: An organization must obtain an individual’s consent before collecting, using or disclosing his or her personal data for a purpose (sections 13-17 of the Singapore PDPA).
Consent is not required for the collection, use and disclosure of personal data where it falls within the specific exceptions listed in the Act. Consent is not required when the collection of data:
➤ Is necessary for any purpose that is clearly in the individual's interest. Consent for the collection, use, or disclosure cannot be obtained in a timely manner where the individual would not reasonably be expected to withhold consent.
➤ Is publicly available
➤ Is in the national interest
➤ Is in the legitimate interests of the organization or other person and the legitimate interests of the organization or other person outweigh any adverse effect on the individual
➤ Is required and authorized by law
The individual must be allowed to withdraw consent, with reasonable notice, and be informed of the likely consequences of withdrawal. When an organization enters into an agreement with an individual, the individual may be deemed to have given consent to the collection, use or disclosure of personal data (as the case may be). An individual gives deemed consent if the individual, without actually giving consent, voluntarily provides the personal data to the organization for that purpose, and it is reasonable for the individual to voluntarily provide the data.
2. Purpose Limitation Requirement: According to section 18 of the Act, an organization may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent. An organization may not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide the product or service.
3. Duty to notify: Sections 18 and 20 of the Act require an organization to inform an individual of the purpose(s) for which it intends to collect, use or disclose his or her personal data no later than the time of collection.
4. Duty of access and correction: Upon request, organizations must provide individuals with access to their personal data as well as information about how the data was used or disclosed in the year preceding the request. (Sections 21 and 22 of the Singapore PDPA). Organizations are also required to correct any errors or omissions in an individual’s personal data as soon as possible and to send the corrected data to other organizations to which the personal data has been disclosed, within one year before the correction is made.
5. Duty of Accuracy: Under Article 23, an organization must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use that personal data to make a decision that affects the data subject, or to disclose that personal data to another organization.
6. Duty to Protect: Reasonable security arrangements must be made to protect personal data in your organization’s possession from unauthorized access, collection, use, disclosure or similar risks. (Section 24 of the Singapore PDPA).
7. Retention Limitation Obligation: An organization must cease to retain records containing personal data, or remove the means by which personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes (Singapore PDPA Article 25).
8. Limitation on Transfer Requirement: An organization shall not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that the personal data transferred will benefit from a level of protection comparable to that of the PDPA (Article 26 of the PDPA).
9. Obligation on Policies and Practices: An organization must appoint a person responsible for ensuring that it complies with the Singapore PDPA, called a Data Protection Officer (“DPO”), and develop and implement policies and practices that are necessary to fulfill its obligations under the PDPA, including a process for receiving complaints. In addition, the organization is required to communicate information about these policies and practices to its staff and to make information about these policies and practices available to individuals upon request (sections 11 and 12 of the PDPA).
10. Notification Requirement: An organization must assess data breaches affecting personal data in its possession or control, and is required to notify the PDPC, as well as affected individuals, of the occurrence of certain data breaches.
In addition, the amendatory law also adds another data protection obligation which is the data portability obligation. Thus, once an organization receives a data porting request from an individual, the porting organization must transmit the applicable data specified in the data porting request to the receiving organization in accordance with any prescribed requirements, such as experience requirements and consumer protection issues.
What can we do as data subjects under the PDPA?
The rights of data subjects in accordance with the Personal Data Protection Act 2012 are as follows:
Right of information access
Although there is no stand-alone right to be informed under the Singapore PDPA, organizations are subject to several data protection obligations under the PDPA that require them to notify the data subject in certain circumstances.
When collecting personal information, the data controller will need to notify the data subject of the details of the data collection up to and including use or disclosure prior to any action or during the data collection process (unless the data subject is well aware of the details). The data subject has every right to know the purpose of the collection, use and disclosure of his or her information, the details of the information that will be collected, the duration of the collection as well as the data controller’s information such as location and contact. If the individual refuses, the consequence will be that the organization will not disclose the information.
Right of access
An organization must allow an individual to access personal data in its possession or control upon request.
The organization has a duty to respond to applicants’ requests for access to their personal data as accurately and completely as necessary and reasonably possible, subject to the exceptions cited in the Singapore PDPA.
Upon receipt of individuals’ requests, the organization is required to provide individuals, as soon as reasonably possible, with:
➤ Personal data about them that is in the possession or control of the organization.
➤ Information about how that personal data has been or may have been used or disclosed by the organization in the year preceding the date of the request.
An organization must provide a copy of each applicant’s personal data in documentary form or in any other form requested by the individual as acceptable to the organization.
If it is not possible to do so, the organization may provide the individual with a reasonable opportunity to review the personal data.
Under the access obligation, organizations may charge requesters a reasonable fee for responding to access requests. In doing so, an organization must provide the requester with a written estimate of the fee.
There are certain exceptions under which organizations are permitted to deny access to an individual’s personal data.
➤ Where such access would reveal personal data about another individual or be contrary to the national interest
➤ If the burden or expense of providing access would be unreasonable for the organization or disproportionate to the individual's interests
➤ If the request is otherwise frivolous or vexatious
Right of rectification
An organization shall permit an individual to correct personal data in its possession or control upon request. Individuals have the right to request an organization to correct any inaccurate data that is under the organization’s control, subject to exceptions.
An organization may not make a requested correction if it is satisfied on reasonable grounds that a correction should not be made. If no correction is made, the organization must annotate the personal data in its possession or control with the correction that was requested but not made.
Right to erasure
If the controller discloses personal information to the public or makes it easily accessible, the data subject has the right to request that his or her information be erased or destroyed or made anonymous.
In addition, under the retention limitation obligation, organizations are required to stop retaining personal data if the retention of that personal data is no longer necessary for legal or business purposes.
Right of objection
Individuals have the right to withdraw their consent to the collection, use or disclosure of their personal data at any time upon reasonable notice.
With respect to withdrawal of consent, individuals should be aware that withdrawal of certain types of consent may affect the organization’s ability to continue to provide the services requested.
Right to data portability
Since the entry into force of the changes regarding data portability introduced by the amending law, an individual can submit a portability request to a porting organization.
What are the penalties for non-compliance?
The PDPC is responsible for the enforcement of the Singapore PDPA. Where the PDPC is satisfied that an organization has violated the data protection provisions of the PDPA, the PDPC has broad discretion to issue such remedial instructions as it deems appropriate. These include directions requiring the organization to:
➤ Cease collecting, using or disclosing personal data in violation of the PDPA
➤ Destroy personal data collected in violation of the PDPA
➤ Provide access to or correct the personal data
➤ Pay a financial penalty of up to SGD 1 million
Changes that will take effect at a later date under the Amendment Act will allow the PDPC to impose higher financial penalties.
Ask our Lawyers
Ask your question and receive legal advice from a qualified lawyer