PDPA Singapore Guidelines: 16 Key Concepts For Your Business
The digital currency we know as personal data pertains to data about an individual who can be recognised from that data, or from that data or other details to which an organisation has or is likely to have access.
An overview of the PDPA Singapore guidelines
The Personal Data Protection Act (PDPA) presents a basic set of provisions for the protection of personal data in Singapore. It integrates well into the sector-specific legislative and regulatory structures such as the Banking Act and Insurance Act.
It covers several provisions regulating the collection, use, disclosure, and care of personal data in Singapore. Additionally, it provides for the enactment of a national Do Not Call (DNC) Registry. Under this provision, individuals may register their Singapore telephone numbers with the DNC Registry to opt out of getting unwarranted telemarketing messages from different organisations.
There are many reasons why your organisation must spend money, time, and effort on Personal Data Protection and Security: preventing financial loss due to data breach, ensuring compliance with regulatory requirements, maintaining high levels of productivity, and meeting customer requirements. Check out how Privacy Ninja’s PDPA Obligations for Organisational Compliance (which is SkillsFuture Credit-eligible, by the way!) can help train your personnel toward full PDPA compliance. Get started today.
The advisory guidelines for key concepts amplify and furnish illustrations for the key responsibilities in the PDPA and interpretation of key terms in the PDPA. These serve to aid organisations and individuals in their general understanding of the PDPA. It should be noted that originally, there were 23 chapters in the advisory guidelines, but these have since grown to 26 chapters (after the November 2020 amendments), grouped into 16 main sections. These updates came into force on 1 February 2021.
16 sections under the PDPA Singapore guidelines
Chapter 1-2: Introduction and Overview. The first two chapters cover the origins of the PDPA, which include the reasoning behind its enactment. Additionally, they give a high-level glimpse of the scope of the provisions as well as exceptions.
Chapter 3-9: Important Terms Used in the PDPA. As the name suggests, these next chapters take their sweet time in defining 6 key terms used in the PDPA, while also offering use case scenarios:
- personal data
- collection, use, and disclosure
The purpose for fleshing out the terms above is to provide guidance on how these terms may be perceived and applied in the context of the Data Protection Provisions.
Chapter 10: Overview of the Data Protection Provisions. This overview spells out the ten main obligations under the Data Protection Provisions, which are also subject to exceptions or limitations specified in the PDPA.
Chapter 11: Applicability to Inbound Data Transfers. On some occasions, data that’s collected overseas is subsequently transferred into Singapore. How will organisations deal with this scenario and what activities can they do or cannot do with this set of collected data? This chapter of the PDPA Singapore guidelines answers that through a detailed discussion and an example scenario.
Chapter 12: The Consent Obligation. The PDPA recognises the need for organisations to collect, use, and disclose personal data for reasonable purposes. Hence, they impose the consent obligation to ensure that individuals still retain control over their personal data. This chapter of the PDPA Singapore guidelines gives the lowdown on what constitutes a consent, specific use case scenarios to illustrate the discourse, as well as how organisations should move forward once the individual opt-out from the initial consent given.
Chapter 13: The Purpose Limitation Obligation. Apart from giving clear guidelines on consent, it is also important to lay the foundation of the purpose and limitation of collecting, using, and disclosing data. This chapter dwells on this, and is aimed to ensure that the extent of collection, use, and disclosure is within the bounds of what is relevant and reasonable for the organisation to collect.
One crucial aspect in ensuring full PDPA compliance in the workplace is through the delegation of a Data Protection Officer (DPO). Apart from being mandatory for all organisations in Singapore, appointing a DPO allows businesses to have someone oversee the data protection responsibilities within the organisation. In this regard, check out how Privacy Ninja’s DPO-As-A-Service gives you peace of mind without breaking the bank Chat with us today.
Chapter 14: The Notification Obligation. This chapter of the PDPA Singapore guidelines focuses on how organisations must always notify individuals of the intentions for which their personal data will be collected, used, or disclosed in order to get their consent.
Chapter 15: The Access and Correction Obligations. In this chapter of the PDPA Singapore guidelines, the rights of individuals to their personal data are reiterated, whereby individuals have the right to request for access to their personal data, correct it, and view how it was used by your organisation. Specific example scenarios are provided.
Chapter 16: The Accuracy Obligation. This part of the PDPA Singapore guidelines discusses how PDPA requires organisations to make a conscious effort to see to it that personal data collected by or on behalf of the organisation is correct and complete. Various scenarios are given for better illustration on the subject matter.
Chapter 17: The Protection Obligation. This chapter discusses how organisations must see to it that all personal data under their possession or management must be protected in order to prevent (a) illegal access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage platform or device on which personal data is kept.
Chapter 18: The Retention Limitation Obligation. Some organisations may have the misconception that the personal data they collect is theirs perpetually. This chapter of the PDPA Singapore guidelines sets the record straight by touching on the conversation about how long personal data can be retained by companies.
Chapter 19: The Transfer Limitation Obligation. In a world that’s getting smaller thanks to accelerated digitalisation, cross-border transfers of personal data have also become easier. This chapter touches on the limitations on which transfer of personal data are bound to, as well as conditions and repercussions on the organisations if these are not followed.
Chapter 20: The Data Breach Notification Obligation. This chapter is a result of the PDPA amendments back in November 2020. It puts more weight on the organisation’s responsibilities in the event that a data breach occurs. Various examples are laid out for greater understanding on probable scenarios and actionable points.
Chapter 21: The Accountability Obligation. This added chapter defines the concept of ‘accountability’ when it comes to data protection. It also discusses how organisations must undertake provisions to make sure they meet their obligations under the PDPA and, importantly, establish that they can do this when mandated..
Chapters 22 – 23: Offences affecting personal data and anonymised information. Now these chapters of the PDPA Singapore guidelines may look bleak and rightly so. Spread throughout are discussions on offences that organisations can possibly incur, as well as the categories where these offences may be committed.
Chapters 24 – 26: Other Rights, Obligations and Uses. These final chapters cover the bits of other rights, obligations, and uses not discussed in the previous chapters. That is, the PDPA includes measures that detail how the Data Protection Provisions will apply in relation to, among other things, current rights, obligations, and uses of personal data.
Your organisation stands to benefit from being fully compliant with PDPA Singapore guidelines. There is no better time than now to start your roadmap to complete adherence to these obligations. Let us know how Privacy Ninja’s wide range of service offerings can help your organisation get started on your road to full PDPA compliance.
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit