Organizations are required to comply to the Personal Data Protection Act (PDPA) especially the 9 Obligations of PDPA when collecting, using or disclosing personal data.
In the following sections, we will explain what each of the 9 obligations means.
Also Read: Understanding the mandatory data breach notification of Singapore
Organisations can only collect, use or disclose the personal data of individuals for which consent has been given.
Individuals must also be allowed to withdraw their consent anytime, with reasonable notice given, and upon the receipt of their withdrawal notice, inform them the likely consequences of doing so. Organisations must thereafter cease further collection, usage or disclosure of the personal data of these individuals.
Note that organisations need not delete or destroy the personal data of these individuals who have withdrawn consent, if there is still valid business or legal needs.
Organisations may collect, use or disclose personal data of individuals for the purposes for which consent have been given for, and what a reasonable person would consider appropriate in the circumstances.
Organisations may not, as a condition of providing a product or service, force individuals to consent to the collection, use or disclosure of their personal data beyond what is deemed reasonable.
Organisations must inform individuals of the purposes for which their personal data is being collected, used or disclosed, on or before any collection, use or disclosure.
Upon request by individuals, and as soon as reasonably possible, organisations must be able to provide information on:
However, organisations are able to reject the access request if the result of acceding to the request may reasonably be expected to:
Organisations are also required to rectify any error or omission in an individual’s personal data upon request, as soon as reasonably practicable, unless the organisation has differing grounds to believe that the correction should not be made. Organisations should then proceed to send the updated data to other organisations to which the personal data was disclosed within a year’s period before the correction was made, or with the individual’s consent, only to specific organisations.
Note that Organisations may levy an administrative fee to process the personal data access request, but not for a correction request.
Organisations must make reasonable effort to ensure that the personal data collected by or on behalf of them is accurate and complete, if the personal data is likely to be used to make a decision that will affect the individual, or if it is likely to be disclosed to another organisation.
Organisations should put in place reasonable security arrangements to protect the personal data under its possession or control, to prevent any unauthorised access, collection, use, disclosure or similar risks.
Typical instances of when the protection obligation is applicable would be during the processing and sending of personal data, storing and disposing of hardcopy documents containing personal data, or access restrictions and deletion of electronic personal data.
Organisations should retain personal data for only as long as necessary for business or legal purposes, after which the data has to be destroyed or anonymized to remove the association to the particular individuals.
Organisations transferring personal data overseas, such as storing the data in cloud servers not located within Singapore, have to ensure that the receiving country to which the data is being transferred, offers a comparable level of data protection as the PDPA.
Previously known as the “Openness Obligation”, this obligation has been updated to reflect developments in data protection relating to the concept of accountability for organisations.
Organisations should make information about its data protection practices, policies and complaints process available upon request.
It is also a mandatory requirement for organisations to appoint at least one individual as a Data Protection Officer (DPO) to lead and ensure the company follows the 9 obligations of PDPA, which is ultimately still the responsibility of the organisation.
The business contact information of the Data Protection Officer should be made available to the public, and this is typically displayed on the privacy policy page on an organisation’s corporate website. The business contact information should also be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers.
Do note that there are certain exemptions to the above 9 obligations and they are generally purpose-based. For example, some of these exceptions relate to not seeking consent to collect, use or disclose personal data during emergency situations and investigations, if an individual’s personal data is already publicly available data or when personal data is used for evaluative purposes. For more exceptions, please refer to the Second to Sixth Schedules of the PDPA.
Organisations can continue to use personal data that has been collected before the data protection provisions of the PDPA came into effect on 2nd July 2014, for the purposes which the personal data was collected for, unless the individual has withdrawn consent. If there is a different purpose for the use of the personal data, new consent has to be obtained.
For personal data collected after 2nd July 2014, organisations have to notify and obtain the individual’s consent to the collection, use or disclosure of his/her personal data.
If you have any questions or concerns regarding PDPA compliance, feel free to contact us here or email us at ninjas@privacy.com.sg
Also Read: What you need to know about appointing Data Protection Officer in Singapore
Importance of Efficient Access Controls that every Organisation in Singapore should take note of. Enhancing…
Prioritizing Security Measures When Launching a Webpage That Every Organisation in Singapore should take note…
Importance of Regularly Changing Passwords for Enhance Online Security that every Organisation in Singapore should…
Comprehensive Approach to Data Protection and Operational Integrity that every Organsiation in Singapore should know…
Here's the importance of Pre-Launch Testing in IT Systems Implementation for Organisations in Singapore. The…
Understanding Liability in IT Vendor Relationships that every Organisation in Singapore should look at. Understanding…
This website uses cookies.
