What the Personal Data Protection Act Means for Individuals


What is ‘Personal Data’?

What is your ‘personal data’? Section 2 of the Personal Data Protection Act defines personal data as data about an individual who can be identified either from the data itself or from other data that an organisation is likely to have access to. Thus, data like names and NRIC numbers would be considered ‘personal data’ since they can be linked to the individual. It also does not matter whether the data is true or not. Business contact information is not considered ‘personal data’.

What is the Protection?

Firstly, it means that your consent is needed for the collection, use, or disclosure of your personal data. However, there are some exceptional circumstances stated in the Second, Third and Fourth Schedule of the Act (a pretty long list of exceptions actually).  To obtain your consent, the organisations should inform you of the purpose for the collection, use or disclosure of your personal data. However, there will be deemed consent when the data is voluntarily given by you, and if it is reasonable that you would voluntarily provide the data.

An organisation cannot deceive you into giving your consent by giving false or misleading information about what it intends to do with the information. In addition, your consent cannot be obtained  as a condition of providing a product or service beyond what is reasonably necessary for the product or service.

Secondly, in case of doubt, you have the right to ask the data-collecting organisation about your personal data. According to section 20(1)(c), organisations are required to provide the business contact information of a person who can answer your questions regarding the collection, use and disclosure of your personal data upon your request.

Thirdly, you may withdraw your consent at any time with reasonable notice. The organisation should inform you of the likely consequences of your withdrawal, and cease collecting, using or disclosing your personal data.

Fourthly, you should have access to your personal data and to be able to correct it if it is wrong.

Lastly, there are obligations on organisations to take care of your personal data. They have to make reasonable effort to ensure that the personal data is accurate, to ensure that there is reasonable security for the data, to retain data for no longer than necessary, and to ensure that comparable protection of data is given if the data is transferred outside Singapore.

Who is Restricted by the Act?

The Act does not apply to individuals acting in a personal or domestic capacity. That means it wouldn’t apply in a situation where you are taking down your friend’s details for your address book, for example. It also doesn’t apply to employees working in the course of their employment. Nor does it apply to public agencies.

Do-Not-Call Registry

The Do-Not-Call Registry will come into force in early 2014. Registering your phone number will allow you to opt out of  receiving marketing messages of a commercial nature that are addressed to your Singapore phone number.


When the provisions of the Act fully come into force, you will be able to file a complaint to the Personal Data Protection Commission when you suffer violations of the Act. The Commission will be responsible for conducting the investigation.

This is only a general summary of the Act and details have been omitted due to the need for brevity.