How can we help you today ?

Translation Services

Frequently Asked Questions

Organizations

How much personal data can an organisation collect, use or disclose? Under the PDPA, an organisation may collect, use or disclose personal data only for reasonably appropriate purposes under the circumstances. Organisations should notify individuals of the purposes for the collection, use and disclosure of personal data, and seek individuals' consent for the collection, use and disclosure of the personal data unless an exception under the PDPA applies. These exceptions are set out in the Second, Third and Fourth Schedules of the PDPA respectively. In this regard, organisations shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service. If the organisation wishes to collect any additional personal data, the organisation may provide the individual the option of whether to consent to this. For example, an organisation selling a consumer product to individuals should not require them to reveal their annual household income as a condition of selling the product, although it may ask them to provide such personal data as an optional field.

The Personal Data Protection Act 2012 (PDPA) applies to organisations, including:

“... any individual, company, association or body of persons, corporate or unincorporated, whether or
not — 
(a) formed or recognised under the law of Singapore; or
(b) resident, or having an office or a place of business, in Singapore;"

As long as your organization runs a business in Singapore, you would most likely have collected, used or disclosed Personal Data in some form on the other and hence need to comply. This can be with regards to your internal HR matters or processing Personal Data to provide a product or service to a customer.

Contact us for a no obligation chat today!

Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. In particular, organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.

An organisation or person that commits an offence under section 51(3)(b) or (c) of the PDPA is liable to:

  • in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
  • in any other case, to a fine not exceeding $100,000.

Section 29(2) of the PDPA further provides that the PDPC may (without prejudice to section 29(1) of the PDPA) give an organisation that is not complying with any of the Data Protection Provisions any or all of the following directions:

  • to stop collecting, using or disclosing personal data in contravention of the PDPA;

  • to destroy personal data collected in contravention of the PDPA;

  • to comply with any direction of the PDPC under section 28(2) of the PDPA;

  • to pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit.

Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management's responsibility and that the outsourcing service should cover only the operational aspects of the DPO function.

Visit our DPO-As-A-Service page here to understand how outsourcing your company's DPO role to us will ease your operational burdens while ensuring compliance. 

From training individuals on online privacy and reducing their digital footprints to Open Source Intelligence (OSINT) gathering techniques, and corporate training on PDPA compliance, Privacy Ninja has all your privacy needs covered.

We are always looking for strategic partners to distribute our service offerings. Be it sharing our services to your existing clientele or working on a marketing plan and being a referral, drop us a message at https://privacy.com.sg/work-with-us/ 

Surely! We have helped various companies undergoing investigation for suspected data breach or complaint matters to successfully prevent a financial penalty.

Contact us for a no obligation chat today!

Generally, organisations may continue to use the personal data collected prior to the effective date of the data protection rules, unless the individual withdraws consent (if consent had previously been given) or indicates that he does not consent to such use of the personal data.

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. These exceptions are set out in the Second, Third and Fourth Schedules of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

For example, if a company has been using its customer's personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose. If the organisation wishes to use the personal data for telemarketing, it will separately have to ensure compliance with the DNC provisions under the PDPA.

Consent can be obtained in a number of different ways. As a best practice, an organisation should obtain consent that is in writing or recorded in a manner that is accessible for future reference, for example, if the organisation is required to prove that it had obtained consent.

An organisation may also obtain consent verbally although it may correspondingly be more difficult for an organisation to prove that it had obtained consent. For such situations, it would be prudent for the organisation to document the consent in some way.

As a good practice, organisations should generally seek individuals' consent for marketing via a distinct opt-in selection when signing up for a product or service.

An organisation will not be considered to be requiring consent to market its products or services as a condition of providing a product or service, if it allows the individual to withdraw such consent and doing so will not result in ceasing of the provision of the product or service to the individual.

The organisation should clearly state how the individual may withdraw consent from marketing subsequently (e.g. by providing a link or an email address for the individual to opt out).

Organisations should also note that this approach to obtaining consent for sending marketing messages does not apply to sending of marketing messages via voice, text and fax where clear and unambiguous consent is required under the DNC Provisions of the PDPA.

Deeming that an individual has given his consent through inaction on his/her part will not be regarded as consent in all situations. Whether or not a failure to opt out can be regarded as consent will depend on the actual circumstances and facts of the case. Organisations are advised to obtain consent from an individual through a positive action of the individual to consent to the collection, use and disclosure of his personal data for the stated purposes.

Organisations that wish to do so should consider the following:

Is the collection, use or disclosure of the personal data required or authorised under the PDPA or other laws for that purpose? If so, the organisation does not need to seek consent. Otherwise, the organisation should consider whether the individual has previously withdrawn or indicated that he does not consent to that new purpose.

If the individual has previously withdrawn or indicated that he does not consent to that new purpose, the organisation should not contact him to seek consent for that new purpose. However, the organisation may seek fresh consent during any new transaction with the individual. For example, a service provider may seek the consent of subscribers who previously indicated they did not consent to the use of their personal data for other purposes, at the point of renewal of their service subscription.

Where the individual has not previously withdrawn or indicated that he does not consent to that purpose, the organisation may contact the individual to seek consent for the new purpose. However, if the new purpose involves marketing, the organisation must also comply with the Do Not Call (DNC) provisions when contacting the individual via voice, text or fax messages.

An organisation may use personal data collected before 2 July 2014 for the purposes for which the personal data was collected, unless consent for such use is withdrawn or the individual has indicated to the organisation that he does not consent to the use of the personal data.

If an organisation intends to disclose the personal data on or after the appointed day (other than disclosure that is necessarily part of the organisation's use of the personal data), the organisation must comply with the data protection provisions in relation to such disclosure. As the sale of databases containing personal data involves a disclosure of personal data, organisations must obtain valid consent from the relevant individuals before doing so.

The PDPA provides for certain exceptions to the requirement to obtain consent. One of these exceptions allows organisations to collect, use or disclose personal data without consent for the purpose of “business asset transactions”, subject to certain conditions.  “Business asset transaction” is defined in the PDPA and can apply to mergers and acquisitions.

For example, Organisation A is a prospective buyer of Organisation B. Organisation A can collect personal data without consent (and Organisation B can disclose without consent) about B’s employees, customers, directors or shareholders if it relates directly to the business with which the acquisition is concerned. The personal data must be necessary for Organisation A to determine whether to proceed with the acquisition, and organisations A and B must have entered into an agreement that requires A to use or disclose the personal data solely for purposes related to the acquisition.

For full details, please refer to the Second Schedule, paragraph 1(p) and 3 and Fourth Schedule, paragraph 1(p) and 3 of the PDPA.

Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes. The term “evaluative purpose” is defined in section 2(1) of the PDPA and includes, amongst other things, the purpose of determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment.

Hence, the evaluative purpose exception allows employers to collect, use and disclose personal data without the consent of the individual concerned for various purposes that are common in the employment context, for example:

a) Obtaining a reference from a prospective employee’s former employer where necessary to determine his suitability for employment; or
b) Obtaining opinions about the employee where necessary to determine his eligibility for promotion.

In practice, an organisation that has been requested to disclose information about its past employee may not be able to evaluate whether it is necessary for evaluative purposes, and may therefore wish to obtain the consent of the individual.

Organisations are required to comply with the Data Protection Provisions, including the Consent Obligation and Transfer Limitation Obligation, under the PDPA for any disclosure and overseas transfer of personal data, unless an exception applies.

Depending on the specific facts of the case, an exception to the Consent Obligation may apply such that an organisation may disclose the personal data to an overseas authority without consent from the individual. The circumstances for disclosure without consent are provided in the Fourth Schedule of the PDPA. The Transfer Limitation Obligation may also be taken to be satisfied where certain exceptions in the Fourth Schedule applies (more details are set out in Regulation 9(3)(e) of the Personal Data Protection Regulations 2014).

However, no specific exception under the PDPA routinely covers all requests from overseas authorities.

If an organisation requires further guidance from the PDPC on this matter, please write in to us at ninjas@privacy.com.sg.

Organisations must notify individuals of the purposes for which their personal data (including CCTV footage of them) is collected, used or disclosed and obtain their consent, unless any exception applies. For example, notification and consent is not required if the personal data is publicly available. 

The PDPA does not prescribe the content of notifications. Generally, organisations should indicate that CCTVs are operating in the premises, and the purpose of the CCTVs if such purpose may not be obvious to the individual.

Please refer to the Advisory Guidelines on the PDPA for Selected Topics, Chapter 4, on Photography, Video and Audio Recordings, and PDPC’s Guide to Notification for information and examples on good practices organisations may adopt when notifying individuals about personal data policies and practices.

Organisations may collect personal data of visitors to premises where it is necessary for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the COVID-19.

In the event of a COVID-19 case, personal data can be collected, used and disclosed without consent to carry out contact tracing and other response measures, pursuant to sections 1(b) of the Second, Third and Fourth Schedules to the PDPA, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

As organisations may require NRIC/FIN/passport numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors’ NRIC, FIN or passport numbers where it is necessary for this purpose.

Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure (e.g. ensure visitor logbooks are kept secured and not visible to other visitors), and ensuring that the personal data is not used for other purposes without consent or authorisation under the law. Organisations should also expunge the data when it is no longer needed for contact tracing-related purposes.

Individuals

From training individuals on online privacy and reducing their digital footprints to Open Source Intelligence (OSINT) gathering techniques, and corporate training on PDPA compliance, Privacy Ninja has all your privacy needs covered.

Yes, we have helped clients remove their Personal Data that is made available online without their consent on numerous occasions. In most instances, we also find more sites that display your Personal Data and get it removed as well.

Contact us for a no obligation chat to find out more.

Organisations are generally not allowed to collect, use or disclose your NRIC number (or copy of your NRIC). They may do so only if it is required under the law (or an exception under the PDPA applies) or necessary to accurately establish or verify your identity to a high degree of fidelity.

Where there is no intention to obtain control or possession of your physical NRIC for the purpose of establishing or verifying your identity, and no personal data is retained once the NRIC is immediately returned to you, the PDPC does not consider it to be a collection of personal data.

The PDPC recognises that organisations may wish to collect partial NRIC numbers when other alternatives are not satisfactory. Organisations that collect the last three numerical digits and checksum of the NRIC number (e.g. "567A" from the full NRIC number of "S1234567A") would not be considered to be collecting the full NRIC number, and therefore not subject to the treatment for NRIC numbers set out in the PDPC's advisory guidelines.

Partial numbers are, however, considered personal data under the PDPA to the extent that an individual can be identified from the partial NRIC number, or from the number and other information to which the organisation has or is likely to have access. Organisations that collect partial NRIC numbers must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession or under their control from unauthorised disclosures.

The DNC Registry lets you opt out of marketing messages addressed to your Singapore telephone number, such as those which promote or advertise goods or services, allowing you to have more control over the kind of messages you receive on your telephone, mobile telephone, or fax machine.

Organisations are required to check the DNC Registry within 30 days before sending any telemarketing message. Therefore, you should not receive telemarketing messages from organisations, which are covered by the scope of the DNC Registry, 30 days after registration.

Please click here to lodge a complaint on a DNC Registry Offence or a personal data protection related offence. Alternatively, you may also submit a complaint to the PDPC by calling 6377 3131.

While there is no specific time frame during which a complaint may be lodged, you may wish to note that the evidence may no longer be available to substantiate your case if the complaint is lodged a significant period after the telemarketing message/call was received.

Do not reply to such an SMS or call. Do not interact in any way.

Unsolicited SMSes or calls from unknown sources that are related to loans, financial assistance or online gambling are likely to be associated with unlicensed moneylending and illegal gambling activities. The PDPC investigates all complaints regarding unsolicited telemarketing SMSes or calls seriously. However, unlicensed moneylending and illegal gambling are serious criminal offences in Singapore where the Police are the relevant authority to investigate such offences. If you receive such SMSes or calls, please notify the Police directly by: 

  • lodging a Police Report;
  • calling the National Crime Prevention Council's 'X Ah Long' Hotline at 1800-924-5664 (1800-X-AH-LONG); or
  • providing information via I-Witness.

Complaints received by the PDPC relating to such activities will be referred to the Police.

Organisations should not retain your physical NRIC unless required under the law. This is given the importance of the NRIC as a national identification document that is issued to all citizens and permanent residents of Singapore, and the impact to the individual should the NRIC be misplaced or stolen and used for illegal activities.

The PDPA does not prescribe the retention period. However, an organisation shall cease to retain personal data as soon as the purpose of collection is no longer necessary for business or legal purposes.

Organisations will need to ensure that the necessary operational changes to business practices are made before 1 September 2019.

For transactions related to financial and insurance matters, organisations are permitted to collect your NRIC number (or copy of your NRIC) after informing you on the purposes for the collection, use or disclosure of the personal data, and seeking your consent.

Where organisations can collect NRIC numbers of individuals, they will have to comply with the Data Protection Provisions under the PDPA, such as ensuring an appropriate level of security to prevent unauthorised access, collection, use, disclosure or similar risks; and ceasing to retain the data as soon as the purpose for which it was collected is no longer necessary for business or legal purposes.

Contact our sales team

Drop us your details and our sales Ninjas will get in touch in 24 hours

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

× How can we help you?