Personal Data Protection Act Singapore: Is Your Business Compliant?
Running a business in Singapore, like elsewhere, entails responsibilities. In 2014, the Singapore government has enacted the Personal Data Protection Act of 2012 (PDPA). This law governs the collection, use, and disclosure of personal data by all private organizations. With the new 2020 amendment of the Personal Data Protection Act Singapore has taken into practice, it is high time that we do a quick review.
First things first, what is personal data?
Personal data pertains to the data about a certain individual who can be identified from that data, or from that data, and other information to which a business organization has or is likely to have access.
We are talking here about the things that can identify your individuality; from your fingerprints, face geometry, your NRIC number, voice, DNA profile, and even your ID photo or your latest selfies!
What is the coverage of the Personal Data Protection Act Singapore has enforced?
Are all types of personal data covered? Well, technically no. There are few categories which the PDPA does not cover:
- Personal data that have been on record for at least 100 years (historical personal data)
- Personal data of an individual who has been dead for 10 years or more
- Business contact information such as:
- Business Position or Title
- Business contact number
- Business address and email address
It is important to note that the business contact information, for the PDPA to not apply, should not have been provided by an individual solely for personal purposes.
Now, is your business obliged to comply with the Singapore PDPA?
Generally, the personal data protection act Singapore has adapted, applies to all businesses within its jurisdiction. The proper approach would be, to enumerate the exceptions. If you are operating as one of the following, you do not have to comply with the PDPA:
- A public agency
- An organization acting on behalf of a public agency with regard to the collection, use, and disclosure of personal data
- An private individual acting personal or domestic capacity
How about your employees? They are still required to adhere to their respective organization’s policies for ensuring their employer’s compliance with the personal data protection act Singapore enforces. However, employees themselves are not liable for their employer’s violation of the personal data protection act.
Looking for Compliance Course? Read: Compliance Course Singapore: Spotlight on the 3 Offerings
Your 10 main obligations under the Personal Data Protection Act Singapore has mandated
And here we come to the most crucial part in the provisions of the Personal Data Protection Act of 2012, the main obligations of businesses operating in Singapore. Most companies prefer to have this conspicuously displayed on their workplace, so it is best that you also consider doing so.
- Consent Obligation
Your business can collect, use and/or disclose the personal data of private individuals so long as they have consented to those acts mentioned.
2. Purpose Limitation Obligation
Your business can collect, use, and/or disclose the personal data of private individuals for the sole purpose for which they consented thereto.
3. Notification Obligation
Your business should always inform private individuals of the purpose for which their personal data is being collected, used, and/or disclosed. The personal data protection act Singapore imposes, is one which requires that all notification must be clearly communicated.
4. Access and Correction Obligation
Your business has the obligation to provide information to private individuals, upon their request as soon as possible (within reasonable period). This pertains to inquiries on what personal data of theirs is within your business’s possession or control, and/or how it has been used or disclosed.
5. Accuracy Obligation
Your business has the obligation to ensure that the personal data collected is accurate and complete, especially if it would have you make decision that affects the private individual, or if you are to disclose the information to another organization.
6. Protection Obligation
Your business must put security measures to protect all personal data within your possession or control. The PDPA intends to prevent risks such as unauthorized access, collection, use and/or disclosure of these data.
7. Retention Limitation Obligation
Your business should only retain these personal data so long as is necessary for business or any other legal purposes.
8. Transfer Limitation Obligation
Transferring of personal data overseas, like data storage in the cloud, should meet the PDPA’s data protection requirements.
9. Data Breach Notification Obligation
Should your business suffer data breach that is likely to cause (or has caused) a significant harm to the private individuals affected (or at least 500 individuals), you are required to inform them, likewise, the Personal Data Protection Commission (PDPC)
10. Accountability Obligation
Your business has the final obligation to implement the necessary policies, procedures, and guidelines to fulfill your PDPA obligations. The information about these policies must always be publicly available.
With all these information, finally the question is, Is Your Business Compliant with the Personal Data Protection Act Singapore has enforced? To do so, you need to thoroughly audit your operations. If you find that you did not tick most of the boxes, consider contacting a Data Protection Officer in Singapore.
Also Read: Data Protection Officer Singapore | 10 FAQs
Protecting personal data that the organisation manages is the primary duty that must be upheld, or else risk the financial penalty imposed by the PDPC in case of a breach. To help organisations with their data protection compliance, they can outsource a DPO, which is an officer responsible for ensuring that all data protection provisions are complied with at all times.