Singapore: Personal Data Protection Act, 2012 (PDPA)

Technology has unquestionably brought the world closer but has reciprocaly raised serious questions in relation to security and protection of personal data of individuals. With every organisation collecting, using and even transferring a lot of our personal data, it gets us thinking about how vulnerable our data is to unauthorised use and disclosure. Protecting the Personal Data of its citizens has been the primary concern of every country. Singapore too understood the importance of protecting personal data of its citizens and accordingly enacted the Personal Data Protection Act, 2012 (PDPA). PDPA helps put in place a mechanism to govern the collection, use and disclosure of personal data and matters connected therewith.
The PDPA is not just beneficial to individuals but to organisations alike, as it recognises the rights of individuals to protect their personal data and also understands the needs of organisations to collect use and disclose such personal data. This blog provides the reader an insight into all the essential provisions of the PDPA.
Is PDPA applicable to you?
If you are an organisation, (which means and includes any individual, company, association, or body of persons, corporate or unincorporated irrespective of whether it has been formed or recognised under the law of Singapore or is a resident or has an office or a place of business in Singapore), PDPA shall be applicable to you.
What is Personal Data under PDPA?
Any data relating to an individual, which also includes data to which an organisation has or is likely to have access, and by which an individual can be identified is Personal Data. An individual’s name, address, phone number, email address, photograph, computer IP, National Registration Identification Card (NRIC), etc. are some of the many illustrations of what constitutes Personal Data.
Status of Data Intermediaries under the Act
PDPA mandates a data intermediary to protect the personal data of individuals that it processes on behalf of an organisation. A data intermediary shall retain data for no longer than for what purpose it was collected and only until it is required for legal or business purposes. The Intermediary shall not assume any liability or obligations while processing data but the organisation will be responsible and shall incur obligations under the Act for the data processed by an intermediary as if the data were processed by the organisation itself.
Obligations of an Organisation under the PDPA
- First and foremost, an organisation is required to develop and implement policies and practices and procedures to establish compliance with PDPA and shall communicate to its staff such policies and practices implemented.
- An organisation may collect, use or disclose personal data of an individual only for purposes that a reasonable person would consider appropriate in the circumstances and only if the individual has been informed before collecting such data, of the purposes for which it will be collected, used or disclosed.
- An organisation cannot collect, use or disclose personal data of an individual without such individuals expressed or deemed consent, unless collection, use and disclosure of an individual’s personal data is required or authorised by law.
- If an Individual requests withdrawal of his/her consent, the organisation cannot prohibit such withdrawal.
- An organisation shall inform the individual wanting to withdraw his/her consent of the likely consequences of such withdrawal and shall upon withdrawal of consent cease and cause its intermediaries and agents to cease collecting,using and disclosing personal data.
- An organisation has to put in place a mechanism to redress the complaints of individuals that may arise.
- An organisation is obligated to allow an individual access to his/her personal data and also allow him/her to correct or rectify their personal data when requested by them.
- An organisation is required to ensure the accuracy and completeness of the personal data collected by them or on their behalf.
- It is the responsibility of every organisation to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks of the personal data in its possession or under its control.
- An organisation shall retain personal data only for the purpose for which it was collected or if required for legal or business purposes.
- An organisation shall not transfer any personal data to a country or territory outside Singapore unless such transfer is permitted under the Act.
- Every organisation is duty bound to designate a person as the Data Protection Officer, who will be responsible for ensuring the organisations compliance with the Act and shall be responsible to address request made by individuals regarding collection, use or disclosure of personal data.
- An organisation is under an obligation to make public, the business contact information of the Data Protection Officer.
- Since the PDPA does not stipulate a time limit for an organisation to reply to requests, an organisation shall respond to requests within a reasonable time frame and if an organisation is unable to reply within 30 days, the organisation shall inform the individual in writing of the time by which it will respond to the request.
Rights of Individuals under the PDPA
- An individual can withdraw his/her consent given for the collection, use and disclosure of personal data, at any time by giving reasonable notice to the organisation for withdrawing his/her consent given or deemed to have been given .
- An individual has a right to access personal data. Upon request by an individual, the organization shall as soon as reasonably possible provide individual with personal data that is in its possession or under its control, except if expressly prohibited under the Act or any law.
- An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation.
General Penalty
Any person guilty of an offence under this Act shall be liable to pay a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or with both.
Know more about what your responsibilities are under PDPA 2012 Contact Legawise for any further information about you can be PDPA compliant.