PDP Act (Personal Data Protection Act) Laws and Regulation

PDP Act (Personal Data Protection Act) Laws and Regulation

What is Personal Data?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access. Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).

The PDP Act establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDP Act provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organizations.

Objectives of the Personal Data Protection Act

Today, vast amounts of personal data are collected, used and even transferred to third party organizations for a variety of reasons. This trend is expected to grow exponentially as the processing and analysis of large amounts of personal data becomes possible with increasingly sophisticated technology.

With such a trend comes growing concerns from individuals about how their personal data is being used. Hence, a data protection regime to govern the collection, use and disclosure of personal data is necessary to address these concerns and to maintain individuals’ trust in organizations that manage data.

By regulating the flow of personal data among organizations, the PDP Act also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.

Also read: 9 Policies For Security Procedures Examples

How does the Personal Data Protection Act work?

The PDP Act will ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks. This means that organizations will have to comply with the PDP Act as well as the common law and other relevant laws that are applied to the specific industry that they belong to, when handling personal data in their possession. 

The PDP Act takes into account the following concepts:

• Consent – Organizations may collect, use or disclose personal data only with the individual’s knowledge and consent (with some exceptions);
• Purpose – Organizations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and
• Reasonableness – Organizations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

Application of the Personal Data Protection Act

The PDP Act covers personal data stored in electronic and non-electronic forms.

The data protection provisions in the PDP Act (parts III to VI) generally do not apply to:

• Any individual acting in a personal or domestic basis.
• Any employee acting in the course of his or her employment with an organization.
• Any public agency or an organization in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
• Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

When did the Personal Data Protection Act come into effect?

The PDP Act took effect in phases starting with the provisions relating to the formation of the PDP Act on 2 January 2013. Provisions relating to the DNC Registry came into effect on 2 January 2014 and the main data protection rules on 2 July 2014. This allowed time for organizations to review and adopt internal personal data protection policies and practices, to help them comply with the PDP Act.

Development of the Personal Data Protection Act

In the development of this law, references were made to the data protection regimes of key jurisdictions that have established comprehensive data protection laws, including the EU, UK, Canada, Hong Kong, Australia and New Zealand, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework. These references are helpful for the formulation of a regime for Singapore that is relevant to the needs of individuals and organizations, and takes into account international best practices on data protection.

Three public consultations were conducted since 2011 to seek feedback on the proposed data protection regime. The public consultation sought the public’s views on topics including the coverage of the proposed law, the proposed data management rules and transitional arrangements for organizations to comply with the new law. For more information on the public consultations.

PDP act Obligation

Consent Obligation

The Consent Obligation is the first data protection obligation in the Act. According to the PDP Act: An organization must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

Purpose Limitation Obligation

The Purpose Limitation Obligation is the second data protection obligation in the Act. According to the PDP Act: An organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

Notification Obligation

The Notification Obligation is the third data protection obligation in the Act. According to the PDP Act: An organization must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.

Access and Correction Obligation

The Access and Correction Obligation is the fourth data protection obligation in the Act. According to the PDP Act: An organization must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organization and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organization.

Accuracy Obligation

The Accuracy Obligation is the fifth data protection obligation in the Act. According to the PDP Act: An organization must make a reasonable effort to ensure that personal data collected by or on behalf of the organization is accurate and complete if the personal data is likely to be used by the organization to make a decision that affects the individual concerned or disclosed by the organization to another organization.

Protection Obligation

The Protection Obligation is the sixth data protection obligation in the Act. According to the PDP Act: An organization must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

Retention Limitation Obligation

The Retention Limitation Obligation is the seventh data protection obligation in the Act. According to the PDP Act: An organization must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes.

Transfer Limitation Obligation

The Transfer Limitation Obligation is the eighth data protection obligation in the Act. According to the PDP Act: An organization must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDP Act.

Openness Obligation

The Openness Obligation is the ninth data protection obligation in the Act. According to the PDP Act: An organization must implement the necessary policies and procedures in order to meet its obligations under the PDP Act and shall make information about its policies and procedures publicly available

Also read: Top 9 Proper Guidelines on How to Make Data Transfer Agreement Template