Overview of the Personal Data Protection Act (Singapore)
What is the Personal Data Protection Act (PDPA)?
The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and was progressively enforced in several stages from January 2013 till July 2014.
The PDPA recognises both:
- The rights of individuals (natural persons, whether living or dead) to protect their personal data; and
- The need of organisations (Any individual, company, association or body of persons, corporate or unincorporated) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in normal circumstances.
What is Personal Data?
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
Examples of personal data that can on its own, or when made available together, identify an individual include:
- NRIC / FIN number / Passport Number
- Personal Email Address
- Personal mobile telephone number
- Residential address
- Photograph or video image of an individual
- Voice recording
- Biometric identifiers (e.g. Iris image, thumbprint, DNA profile)
Note that the PDPA’s disclosure and protection provisions protects the personal data of deceased individuals for up to 10 years.
What Types of Personal Data are Excluded from the PDPA?
The PDPA does not apply to the following categories of personal data:
- Personal data of deceased individuals who have been dead for more than 10 years
- Business contact information (BCI) of individuals, even if the information is also used by the individual for personal purposes:
- Business title
- Business telephone number
- Business e-mail
- Business office address
Who Do Not need to Comply with the PDPA?
The PDPA applies to organisations in respect of the collection, use and disclosure of personal data in Singapore. There are however, certain parties that do not need to comply with these obligations.
- Any individual acting in a personal or domestic capacity
- Any employee acting in the course of his/her employment
Employees acting in the course of their employment will have to adhere to their organisation’s policies for ensuring the organisation’s compliance with the PDPA. They themselves will not be held personally liable for breaching the PDPA as a result of their actions instructed by their organization.
- Any public agency
- Any organisation in the course of acting on behalf of a public agency in relation to the collection, use and disclosure of the personal data
Public agencies are not governed by the PDPA because there are fundamental differences in how the public sector operates compared to the private sector. They have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, these provide higher standards of data protection compared to the PDPA.
Note that organisations which are data intermediaries are partially excluded from these obligations. Only the Protection and Retention Limitation Obligations apply. A “data intermediary” is defined as an organisation that processes personal data on behalf of another organisation.
- Adapting or alteration