Essential PDPA Compliance Guide for Singapore Businesses
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.
The PDPA recognises both:
- The right of individuals (natural persons, whether living or dead) to protect their personal data; and
- The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (see below).
What is personal data?
Personal data means:
- Data about an individual who can be identified from that data itself; or
- Data about an individual who can be identified from that data and other information to which your business has or is likely to have access
Examples of personal data that can, on its own, identify an individual include:
- Biometric identifiers (face geometry or fingerprints)
- Name and NRIC number
- Photograph or video image of an individual
- Voice of an individual
- DNA profile
Note that the PDPA also protects, to a limited extent, the personal data of individuals who have been dead for 10 years or fewer. For such personal data, only the provisions relating to the disclosure and protection of personal data will apply.
What are the types of personal data the that PDPA does not apply to?
The PDPA does not apply to the following categories of personal data:
- Personal data that is contained in a record that has been in existence for at least 100 years; and
- Personal data about a deceased individual who has been dead for more than 10 years
- Business contact information, which is information not provided by an individual solely for personal purposes, and includes an individual’s:
- Business title;
- Business telephone number; and
- Business address and email address
Who is Not Obliged to Comply with the PDPA?
The PDPA imposes obligations on organisations in respect of the collection, use and disclosure of personal data in Singapore.
The following persons, however, do not have to comply with these obligations:
- Any individual acting in a personal or domestic capacity;
- Any public agency; and
- Any organisation in the course of acting on behalf of a public agency in relation to the collection, use and disclosure of the personal data
Employees acting in the course of their employment with an organisation will have to adhere to their organisation’s policies for ensuring the organisation’s compliance with the PDPA. However, they themselves cannot be held personally liable for actions resulting in their organisation breaching the PDPA.
Additionally, organisations that are data intermediaries are partially excluded from these obligations.
The PDPA defines “data intermediary” as an organisation that processes personal data on behalf of another organisation. However, this definition does not include employees of the organisation (for which the data is being processed).
What are Your Business Obligations Under the PDPA?
The 10 main obligations under the PDPA are:
1. Consent Obligation: your business can collect, use and/or disclose only the personal data of individuals who have consented to such collection, use and/or disclosure. Read more about the PDPA consent obligation in our other article.
2. Purpose Limitation Obligation: your business can collect, use and/or disclose only the personal data of individuals for the purpose(s) for which consent have been given by these individuals.
3. Notification Obligation: your business must inform individuals of the purpose(s) for which their personal data is being collected, used and/or disclosed.
4. Access and Correction Obligation: your business is obliged to provide information to individuals, upon request and as soon as reasonably possible, on:
- What personal data of theirs is in your business’s possession or under its control; and
- How such personal data has been used or disclosed within 1 year before the date of the request
Your business must also correct errors or omissions in the personal data that is in its possession upon request, unless it is reasonable to not make the correction.
5. Accuracy Obligation: your business must make a reasonable effort to ensure that the personal data collected by the business is accurate and complete, if the personal data is likely to be:
- Used by your business to make a decision that affects the individual to whom the personal data relates; or
- Disclosed by your business to another organisation
6. Protection Obligation: your business must put in place reasonable security measures to protect the personal data in its possession or control, including the storage medium or devices on which such personal data is stored. This is to prevent risks such as the unauthorised access, collection, use and/or disclosure of such data.
7. Retention Limitation Obligation: your business should retain the personal data for only as long as is necessary for business or legal purposes.
8. Transfer Limitation Obligation: if your business is transferring the personal data overseas, such as storing the data in the cloud, ensure that the transfer meets the PDPA’s data protection requirements. This is to ensure that the data being transferred is offered a comparable level of data protection as is provided by the PDPA.
9. Data Breach Notification Obligation: if your business has suffered a data breach that has caused (or is likely to cause) significant harm to affected individuals, or that has affected at least 500 individuals, then it generally must inform the Personal Data Protection Commission (PDPC) and affected individuals of the breach.
10. Accountability Obligation: your business must implement the necessary policies and procedures to fulfil its PDPA obligations. It must make information about such policies and procedures publicly available.
PDPA Obligations Applied in Practice
To what extent can your business collect individuals’ personal data?
Pursuant to the Purpose Limitation Obligation (see above), your business may collect, use or disclose personal data about an individual:
- Only for purposes that a reasonable person would consider appropriate in the circumstances; and
- Your business has informed the individual of these purposes (where applicable under the Notification Obligation (see above)).
What is considered “appropriate in the circumstances”?
The particular circumstances need to be taken into account in determining whether the purpose of such collection, use or disclosure of personal data is reasonable.
For example, a purpose that is illegal or would harm the individual concerned is unlikely to be considered appropriate by a reasonable person.
Ensuring compliance with PDPA obligations
If your business regularly collects personal data, it is important to keep track of:
- What personal data is being collected
- For compliance with the Protection Obligation
- Being aware of the types of personal data being collected will allow you to have a better picture of the type of protective measures needed and evaluate if the purposes for which such data is being collected are best served by the data collection.
- For what purposes the personal data is being collected
- For compliance with the Purpose Limitation Obligation and the Retention Limitation Obligation
- Who is collecting the personal data
- For compliance with the Consent Obligation and Notification Obligation
- Only authorised personnel who have received appropriate training in PDPA compliance should be involved in the collection process
- Where the personal data is stored
- For compliance with the Protection Obligation
- To whom the personal data is disclosed
- For compliance with the Access and Correction Obligation and Protection Obligation
- While your business has to provide access to the personal data of an individual who requests for it, you should verify the identity of the individual. For example, by requesting for appropriate identification documents before providing such access. This would in turn prevent inadvertent leaks of personal data.
1. Implementing data protection policies
In order for your business to be in compliance with the Protection Obligation, it is critical to implement personal data protection policies and communicate such policies to your employees.
For example, your business could implement physical and technical data protection measures.
Physical measures include providing personal data access only to authorised personnel and ensuring that physical records (such as printed documents containing employees’ NRIC numbers and home addresses) are held in a secured location. For example, a locked filing cabinet.
Technical measures range from installing anti-virus software on computer systems to maintaining a strong password for electronic files containing personal data.
2. Utilising tools to assess your business’ compliance with the PDPA
The PDPA Assessment Toolkit available on the PDPC website may be helpful in identifying the areas in which your business is not PDPA compliant.
It provides a guided questionnaire on your business’ personal data protection and policies. It can therefore serve as a handy checklist of your business’ compliance with the PDPA obligations.
3. Appointing a Data Protection Officer (DPO)
It is also compulsory under the PDPA for your business to appoint one or more Data Protection Officer(s) (DPO) to supervise your business’ collection, usage and disclosure of personal data. The DPO is accordingly responsible for ensuring that your business complies with the PDPA.
Your DPO is also required to review and update your business’ PDPA policies and processes in line with the latest regulatory developments.
This is to ensure that your business remains PDPA compliant in light of changes to the relevant data protection rules.
Finally, your business’ DPO will serve as a point of contact for individuals to get in touch with your business for PDPA-related matters.
Read our other article for more information on appointing a Data Protection Officer.
Consequences of Non-Compliance with the PDPA
Your business is accountable for its PDPA compliance in various ways.
For example, individuals may request for access to their personal data held by your business (see the Access and Correction Obligation above). They may also submit a complaint to the PDPC which will investigate your business’ conduct and compliance with the PDPA.
If it is found that your business is not PDPA-compliant, the PDPC may:
- Impose a financial penalty of up to $1 million
- Direct your business to stop collecting, using or disclosing personal data in contravention of the PDPA
- Direct your business to destroy personal data collected in contravention of the PDPA
In April 2016, the Business Times reported that 11 companies, including Challenger Technologies and K Box Entertainment Group (K Box), had been fined for breaching data protection obligations under the PDPA.
K Box, in particular, was given a financial penalty of $50,000 for failing to implement adequate security measures to protect the personal data of its members.
What Should You Do If You Collect, Use or Disclose Individuals’ Personal Data Throughout the Course of Your Business?
- If your business wants to store personal data in the cloud, you should take appropriate steps to ensure that the transfer of data to the cloud complies with the PDPA’s data protection laws.
- If your business issues newsletters through email, you should ensure that the creation and sending of your newsletter as well as the management of your subscriber list complies with the PDPA and other applicable laws.
- Should your business be involved in telemarketing, you should ensure that the relevant regulations, including those relating to the Do Not Call (DNC) Registry are complied with The DNC regime established under the PDPA, prohibits organisations from sending marketing messages to Singapore telephone numbers registered with the DNC Registry.
- If your business maintains physical or electronic records of personal data, these records have to be disposed of, using appropriate methods, as stipulated in the PDPA.
- Businesses are also not allowed to make copies of individuals’ NRICs, or collect, use or disclose NRIC numbers, unless this is required by law or required to verify an individual’s identity to a “high degree of fidelity”.
To prevent thefts and leaks of personal data, and monetary penalties as a result, it is important to have a clear understanding of the business’ PDPA obligations.
If you have any questions or concerns regarding PDPA compliance, consider getting in touch with one of our data protection lawyers.
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Validation of Payments Made by Companies Being Wound Up