The data protection in Singapore is covered by the Personal Data Protection Act, which provides the baseline standard of protection for every individual’s data. It comprises various requirements mandatory for businesses in Singapore in governing the collection, usage, disclosure, and its care or management.
PDPA also provides the establishment of the national Do Not Call (DNC) registry, where people may register their mobile and telephone numbers if they opt not to be bothered by telemarketing messages from organizations.
Personal Data Protection Act’s objectives
The Personal Data Protection Act acknowledges organizations’ need to collect, use, or disclose personal data for reasonable and legitimate purposes and the protection of individuals’ personal data.
With this, it is necessary to establish a data protection regime that serves as a safeguard for the personal data collected and used from any misuse and maintain trust by individuals to these organizations that they entrust their sensitive information.
PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses through regulations among organizations for the flow of personal data.
Scope of the Personal Data Protection Act
The Data Protection Act covers Electronic and non-electronic formats that store personal data. However, according to Personal Data Protection Commission (PDPC), it generally does not apply to:
- Any individual acting in his/her capacity as an employee with an organization.
- Any individual acting on a personal or domestic basis.
- Any public agency in relation to the collection, use, or disclosure of personal data.
- Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.
Obligations of organizations under the Data Protection Act of Singapore
Organizations are mandatorily required to comply with all of the data protection obligations laid in the PDPA if they undertake the collection, usage, or disclosure of any individual’s personal data. Also, under the Do Not Call (DNC) registry, organizations must make necessary effort to make sure that those individual who are signed under the DNC registry must be excluded from their telemarketing messages.
How does the Personal Data Protection Act impact businesses?
When organizations fail to comply with the obligations laid under the PDPA, there are consequences imposed by the PDPA. Looking at the PDPC’s undertakings and decisions, we can infer that they take data breaches seriously. The fines for those organizations who were negligent on their obligations to protect personal data range up to 1,000,000 SGD.
With this, businesses that collect data for their daily operations are under a thin thread when it comes to their data protection practices because, as what we have learned from the PDPC decisions, even if the breach was caused by an employee’s simple mistake such as typing the wrong recipient, a hefty fine will be imposed to that organization.
Every business should establish a data protection policy to ensure that the legal obligations provided in the PDPA are met. This policy should take into account the way a business processes information and business’ general data needs.
According to BDB Pitmans, the following are policies that should be incorporated in every business:
- good information handling can improve your business’s reputation by increasing customer and employee confidence in you;
- good information handling should also reduce the risk of a complaint being made against you.
- keeping the information you have about your customers secure will help protect your and their information; and
- sending out a mailing from incorrect or out-of-date records could not only annoy your customers but also wastes your time and money.