KNOWLEDGE BASE Data Protection Regulations in Singapore
The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.
Data Protection Regulations in Singapore
In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success, though it does not come without risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies, big, medium, and small, a data breach can be ruinous. Data protection and data privacy are of utmost importance to people and countries around the world today.
In the event of a security breach, companies face the potential for:
-
civil penalties
-
lawsuit liability
-
extreme expense to notify customers, to investigate the breach, to compensate customers, and to update their systems to prevent another such breach
-
loss of profits from a decrease in consumer confidence and a negative reputation
Many countries place importance and strict obligations on companies’ collection, use, and disclosure of said personal data, and Singapore is no exception. Singapore takes the protection of personal data very seriously, but also understands that companies need to collect, store, and use personal data to some degree or another in order to do business. As you enter the Singapore market, it’s in your best interest to ensure you have systems in place to comply with Singapore’s regulations around collecting and keeping data.
What laws or regulations apply?
Personal Data Protection Act of 2012
The Personal Data Protection Act of 2012 (PDPA) establishes data protection law to govern and regulate the collection, use, and disclosure of personal data. The PDPA recognises both the right of individuals to protect their personal data and the need of organisations to collect, use, and disclose personal data. The PDPA contains nine primary obligations that organisations are required to comply with if they undertake activities related to the collection, use, and disclosure of personal data.
The PDPA also provides for the establishment of the Do Not Call Registry, which allows individuals to register Singaporean numbers to opt out of marketing phone calls, text messages, and faxes. More information on the Do Not Call Registry as it relates to phone marketing can be found in our related Mobile Marketing section.
What are the important terms to understand?
An understanding of two of the most important terms used in the PDPA is necessary to develop and implement appropriate data protection policies and procedures for companies expanding into Singapore.
Organization - The PDPA's definition is: An “organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not
(a) formed or recognised under the law of Singapore; or
(b) resident, or having an office or a place of business, in Singapore.
Every organisation, as defined above, is required to comply with the PDPA regarding any activity related to the collection, use, and disposal of personal data, unless it falls within a category of organisations that are expressly excluded from the application of the PDPA.
Personal Data - The PDPA's definition is: “Personal data” means data, whether true or not, about an individual who can be identified
(a) from that data; or
(b) from that data and other information to which the organisation has or is likely to have access
The definition of personal data under the PDPA is broadly construed to include any type of data from which an individual can be identified.
Personal Data under the PDPA may include:
-
DNA
-
full name
-
mobile telephone number
-
NRIC (National Registration Identity Card) number or FIN (Foreign Identification Number)
-
passport number
-
personal email address
-
personal mailing address
-
photograph or video image of an individual
-
thumbprint
The definition covers data that necessarily relates to an individual, e.g., an individual’s name, as well as data that does not necessarily relate to an individual, but is associated to or made to relate to an individual, e.g., an address. Other generic data can also form part of an individual’s personal data, i.e., when combined with personal data the individual is identifiable.
Example
Jane Doe is a 35 year old Singaporean female. Without more information, general characteristics such as age, nationality, and gender do not identify an individual. However, if Jane fills out a membership form that requires her full name, age, nationality, and gender, all the information on the membership form, including the general characteristics, becomes her personal data.
Under the PDPA, organisations are responsible for personal data in their possession or under their control. Organisations that employ intermediaries to process personal data on their behalf and for their purposes have the same responsibilities as they would if the organisation processed the data itself. When data is collected overseas and subsequently transferred into Singapore, the Data Protection Provisions will apply to activities involving personal data in Singapore.
Example
ABC, an organisation based overseas, has a contractual agreement with JKL, a data hosting company based in Singapore, for JKL to host ABC’s client database. The Data Protection Provisions apply to personal data in the client database when it is in Singapore. Since JKL is acting as ABC’s data intermediary, by hosting the client database pursuant to a contractual agreement, JKL is subject to the Protection and Limitation Obligation with respect to said hosting.
ABC discloses personal data of its clients to DEF, a company based in Singapore, for DEF to conduct its own market research. Since DEF is not a data intermediary, DEF is subject to all Data Protection Provisions with respect to its collection, use, and disclosure of personal data for its purposes.
Does your organization, as defined above, collect, use, or disclose any personal data? If so, you must comply with the PDPA.
How do I comply with the PDPA?
Below is a summary and analysis of the nine obligations the PDPA places on your organisation if you collect, use, or disclose personal data.
-
Consent Obligation: PDPA sections 13-17 require that an organisation obtain consent from the individual before collecting, using, or disclosing his personal data.
-
Purpose Limitation Obligation: PDPA section 18 allows an organisation to collect, use, or disclosure personal data only for purposes that a reasonable person would consider appropriate under the circumstances.
-
Notification Obligation: PDPA section 20 requires organisations to inform individuals of the purposes for the collection, use, or disclosure of the personal data upon or before collecting the data.
-
Access and Correction Obligation: PDPA sections 21 and 22 require that an organisation, upon request, provide individuals with the data in its possession or control, information about the ways in which the data may have been used or disclosed during the past year, and correct an error or omission in the data within its possession or control.
-
Accuracy Obligation: PDPA section 23 requires an organisation to make a reasonable effort to ensure personal data collected by the organisation or on its behalf is accurate and complete if the personal data is likely to be used to make a decision that affects the individual concerned or is disclosed to another organisation.
-
Protection Obligation: PDPA section 24 requires organisations to protection personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.
-
Retention Limitation Obligation: Under the PDPA section 25, an organisation must cease retention of documents containing personal data or remove the means by which personal data can be associated with a particular individual when it is reasonable to assume the purpose for the collection is no longer being served by retention or retention is no longer necessary for legal or business purposes.
-
Transfer Limitation Obligation: Under PDPA section 26, organisations must comply with all requirements prescribed by the PDPA in order to transfer personal data to a country or territory outside Singapore.
-
Openness Obligation: PDPA sections 11 and 12 require an organisation to implement the necessary policies and procedures to meet its obligations under the PDPA and make information about said policies and procedures available publicly.
What are the risks of noncompliance?
The Personal Data Protection Commission (PDPC) is charged with the enforcement of the PDPA. If the PDPC finds that you have breached any of the data protection provisions, it can enforce compliance through any means it deems appropriate including:
-
requiring that you stop collecting, using, or disclosing personal data in contravention of the Act,
-
requiring you to destroy any personal data collected in contravention of the Act,
-
requiring that you provide access to or correct the personal data, and/or
-
imposing a financial penalty in an amount not to exceed S$1,000,000.
If you have any concerns about your understanding of the PDPA and your compliance with it, we encourage you to seek legal counsel in Singapore. You can find vetted legal firms who are qualified to advise and assist you in the Globig Marketplace.
Personal Data Protection Act of 2012
Personal Data Protection Commission
Personal Data Protection Commission: Main Advisory Guidelines
KNOWLEDGE BASE Data Protection Regulations in Singapore