The 9 Obligations of PDPA
Organisations are required to comply to the Personal Data Protection Act (PDPA) especially the 9 Obligations of PDPA when collecting, using or disclosing personal data.
The 9 Obligations of the PDPA are:
- Consent Obligation
- Purpose Limitation Obligation
- Notification Obligation
- Access and Correction Obligation
- Accuracy Obligation
- Protection Obligation
- Retention Limitation Obligation
- Transfer Limitation Obligation
- Accountability Obligation
In the following sections, we will explain what each of the 9 obligations means.
1. Consent Obligation
Organisations can only collect, use or disclose the personal data of individuals for which consent has been given.
Individuals must also be allowed to withdraw their consent anytime, with reasonable notice given, and upon the receipt of their withdrawal notice, inform them the likely consequences of doing so. Organisations must thereafter cease further collection, usage or disclosure of the personal data of these individuals.
Note that organisations need not delete or destroy the personal data of these individuals who have withdrawn consent, if there is still valid business or legal needs.
2. Purpose Limitation Obligation
Organisations may collect, use or disclose personal data of individuals for the purposes for which consent have been given for, and what a reasonable person would consider appropriate in the circumstances.
Organisations may not, as a condition of providing a product or service, force individuals to consent to the collection, use or disclosure of their personal data beyond what is deemed reasonable.
3. Notification Obligation
Organisations must inform individuals of the purposes for which their personal data is being collected, used or disclosed, on or before any collection, use or disclosure.
4. Access and Correction Obligation
Upon request by individuals, and as soon as reasonably possible, organisations must be able to provide information on:
- What personal data belonging to the individual is under the organisation’s possession and control; and
- The ways in which the personal data has been or may have been used or disclosed within a year’s period before the request.
However, organisations are able to reject the access request if the result of acceding to the request may reasonably be expected to:
- cause immediate or serious harm to the individual’s safety, physical or mental health;
- threaten the safety, physical or mental health of another individual;
- reveal personal data about another individual;
- reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his/her identity; or
- go against national interest.
Organisations are also required to rectify any error or omission in an individual’s personal data upon request, as soon as reasonably practicable, unless the organisation has differing grounds to believe that the correction should not be made. Organisations should then proceed to send the updated data to other organisations to which the personal data was disclosed within a year’s period before the correction was made, or with the individual’s consent, only to specific organisations.
Note that Organisations may levy an administrative fee to process the personal data access request, but not for a correction request.
5. Accuracy Obligation
Organisations must make reasonable effort to ensure that the personal data collected by or on behalf of them is accurate and complete, if the personal data is likely to be used to make a decision that will affect the individual, or if it is likely to be disclosed to another organisation.
6. Protection Obligation
Organisations should put in place reasonable security arrangements to protect the personal data under its possession or control, to prevent any unauthorised access, collection, use, disclosure or similar risks.
Typical instances of when the protection obligation is applicable would be during the processing and sending of personal data, storing and disposing of hardcopy documents containing personal data, or access restrictions and deletion of electronic personal data.
7. Retention Limitation Obligation
Organisations should retain personal data for only as long as necessary for business or legal purposes, after which the data has to be destroyed or anonymized to remove the association to the particular individuals.
8. Transfer Limitation Obligation
Organisations transferring personal data overseas, such as storing the data in cloud servers not located within Singapore, have to ensure that the receiving country to which the data is being transferred, offers a comparable level of data protection as the PDPA.
9. Accountability Obligation
Previously known as the “Openness Obligation”, this obligation has been updated to reflect developments in data protection relating to the concept of accountability for organisations.
Organisations should make information about its data protection practices, policies and complaints process available upon request.
It is also a mandatory requirement for organisations to appoint at least one individual as a Data Protection Officer (DPO) to lead and ensure the company follows the 9 obligations of PDPA, which is ultimately still the responsibility of the organisation.
Exemptions to the 9 Obligations of PDPA
Do note that there are certain exemptions to the above 9 obligations and they are generally purpose-based. For example, some of these exceptions relate to not seeking consent to collect, use or disclose personal data during emergency situations and investigations, if an individual’s personal data is already publicly available data or when personal data is used for evaluative purposes. For more exceptions, please refer to the Second to Sixth Schedules of the PDPA.
The 9 Obligations of PDPA: Existing Data
Organisations can continue to use personal data that has been collected before the data protection provisions of the PDPA came into effect on 2nd July 2014, for the purposes which the personal data was collected for, unless the individual has withdrawn consent. If there is a different purpose for the use of the personal data, new consent has to be obtained.
For personal data collected after 2nd July 2014, organisations have to notify and obtain the individual’s consent to the collection, use or disclosure of his/her personal data.