A beginner’s guide to the Singapore PDPA

A beginner’s guide to the Singapore PDPA

With the dawn of digitalization, personal data has become the prized possession of everyone and was even considered the new gold in today’s time. Sadly, this has also been the case of bad actors who will do whatever they can to get access to it that organizations carefully hold. 

With the looming threat from cybersecurity criminals having sophisticated tactics to infiltrate organization’s databases and systems, national authorities have taken steps to ensure that no bad actors cannot get their hands to information they can profit off through data protection policies. In Singapore, it is called Personal Data Protection Act (PDPA), and this is governed by the Personal Data Protection Commission (PDPC).

Also Read: The necessity of data protection plan for businesses in Singapore

What is the Singapore PDPA?

The PDPA is a data protection law passed on 15 October 2012 by the Parliament of Singapore. The Act went into effect in its entirety in July 2014 and was most recently revised in November 2020.

PDPA is the one that regulates the collection, use, and disclosure of personal information about Singaporean citizens by various organizations. This law also recognizes the necessity for organizations to gather and utilize personal information in appropriate circumstances and obliges organizations who suffer data breaches to inform the authorities and those affected by it unless there is a rule that excepts them from doing so. 

Organizations have duties under the PDPA when they collect, use, or disclose any individual’s personal information. Any violation of these requirements would constitute a violation of the provisions of the aforementioned Act, which carries a penalty of up to S$1,000,000 in fines. The Personal Data Protection Act (PDPA) imposes 11 duties on organizations responsible for handling personal data:

1. Accountability Obligation

Organizations must take steps to ensure that they are meeting their obligations under the PDPA, such as providing information about their data protection policies, practices, and complaints process upon request, appointing a data protection officer (DPO), and making business contact information available to the public.

Organizations should be willing to provide information about their data protection methods, policies, and complaint processes to anybody who asks.

2. Notification Obligation

Organizations are required to advise individuals of the objectives for which their personal data will be collected, used, or disclosed.

3. Consent Obligation

Organizations are only permitted to collect, use, or disclose personal data for purposes to which an individual has consented.

Furthermore, organizations must allow individuals to withdraw consent with reasonable notice and notify them of the possible implications of doing so. When consent is revoked, ensure that you stop collecting, using, or disclosing the individual’s personal data.

4. Purpose Limitation Obligation

Organizations may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances and for which the individual has given consent.

An organization may not force an individual to agree to the collection, use, or disclosure of his or her personal data beyond what is necessary to offer that product or service as a condition of providing that product or service.

5. Accuracy Obligation

Organizations must make a reasonable effort to ensure that the personal data collected is accurate and complete, especially if it will be used to make a decision that affects the individual or is disclosed to another organization.

6. Protection Obligation 

To prevent unauthorized access, acquisition, use, disclosure, or other threats to personal data in an organization’s control, reasonable security mechanisms must be put in place.

7. Retention Limitation

Organizations are only required to stop retaining personal data or dispose of it properly when it is no longer required for any commercial or legal reason.

8. Transfer Limitation Obligation

Organizations are only required to transmit personal data to another country according to the legislation to guarantee that the quality of protection is similar to that provided by the PDPA unless exempted by the PDPC.

9. Access and Correction Obligation

Organizations must offer individuals access to their personal data as well as details on how the data was used or disclosed during the previous year upon request.

Organizations must also correct any errors or omissions in the individual’s personal data as soon as possible and send the corrected data to other organizations to which the personal data was disclosed (or to selected organizations to which the individual has consented) within a year of the correction.

10. Data Breach Notification Obligation

In the case of a data breach, organizations must determine if it is notifiable. Suppose a data breach is likely to cause significant harm to individuals and/or is on a large scale. In that case, organizations must notify the PDPC and the affected individuals as soon as possible.

11. Data Portability

Organizations are expected to communicate the individual’s data that is in their custody or under their control to another organization in a generally used machine-readable format upon the individual’s request.

The purpose of Singapore PDPA

The purpose of this Act is to regulate the collection, use, and disclosure of personal data by organizations in a manner that acknowledges both the right of individuals to protect their personal data and the need for organizations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate under the circumstances.

What does the Singapore PDPA apply to?

The PDPA, like other data protection laws such as the UK and EU GDPR and Brazil’s LGPD, has “extraterritorial consequences.” This means that organizations based outside of Singapore may be required to comply with the PDPA if they collect, use, or disclose data within Singapore.

For example, if a non-Singaporean corporation, such as Facebook, gathers Singaporean data online, it is subject to the PDPA. It will also be subject to sanctions if found to be in violation of the regulation.

What penalties result from PDPA non-compliance?

If an organization is determined to be in breach of the PDPA, the PDPC reserves the power to implement a variety of penalties. These include mandating that the organization to:

• Destroy personal information gathered in violation of the PDPA.
• Provide access to or correct personal data.
• Pay a fine of up to 1 million Singapore dollars

PDPC now has the authority to impose more severe monetary penalties. This includes up to 10 percent of the organization’s yearly turnover in Singapore if it exceeds SGD 10 million.

Conclusion

The PDPA is set in place so that organizations are obliged to ensure that they have enough security arrangements in place to protect the personal data they handle. This law protects customers from their confidential personal information being disclosed and bolsters businesses’ cybersecurity hygiene in the process. 

Also Read: Data Protection Act of Singapore: Validity in the Post-pandemic World