Personal Data Protection Act (PDPA)
The Personal Data Protection Act 2012 (PDPA) governs the collection, use, and disclosure of personal data. The PDPA guidelines were passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.
The PDPA recognizes both:
- The right of individuals (natural persons, whether living or dead) to protect their personal data; and
- The need of organizations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or residents outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (see below).
What is Personal Data?
Personal data means:
- Data about an individual who can be identified from that data itself; or
- Data about an individual who can be identified from that data and other information to which your business has or is likely to have access
Examples of personal data that can, on its own, identify an individual include:
- Biometric identifiers (face geometry or fingerprints)
- Name and NRIC number
- Photograph or video image of an individual
- Voice of an individual
- DNA profile
Note that the PDPA also protects, to a limited extent, the personal data of individuals who have been dead for less than 10 years. For such personal data, only the provisions relating to the disclosure and protection of personal data will apply.
What are the Types of Personal Data the PDPA Does Not Apply to?
The PDPA does not apply to the following categories of personal data:
- Personal data that is contained in a record that has been in existence for at least 100 years; and
- Personal data about a deceased individual who has been dead for more than 10 years
Business contact information, which includes an individual’s:
- Business title;
- Business telephone number; and
- Business address and email
Who is Not Obliged to Comply with the PDPA?
The PDPA imposes obligations on organizations with respect to the collection, use, and disclosure of personal data in Singapore.
The following persons, however, do not have to comply with these obligations:
- Any individual acting in a personal or domestic capacity;
- Any public agency; and
- Any organization in the course of acting on behalf of a public agency in relation to the collection, use, and disclosure of the personal data
Employees acting in the course of their employment with an organization will have to adhere to their organization’s policies for ensuring the organization’s compliance with the PDPA. However, they themselves cannot be held personally liable for actions resulting in their organization breaching the PDPA.
Additionally, organizations that are data intermediaries are partially excluded from these obligations.
The PDPA defines a “data intermediary” as an organization that processes personal data on behalf of another organization. However, this definition does not include employees of the organization (for which the data is being processed).
What are the Business Obligations Under the PDPA?
The 9 main obligations under the PDPA are:
- Consent Obligation: your business can only collect, use and/or disclose the personal data of individuals who have consented to such collection, use and/or disclosure. Read more about the PDPA consent obligation in our other article.
- Purpose Limitation Obligation: your business can only collect, use and/or disclose personal data of individuals for the purpose(s) for which consent has been given by these individuals.
- Notification Obligation: your business must inform individuals of the purpose(s) for which their personal data is being collected, used and/or disclosed.
- Access and Correction Obligation: your business is obliged to provide information to individuals, upon request and as soon as reasonably possible, on:
- What personal data of theirs is in your business’s possession or under its control; and
- How much personal data has been used or disclosed within 1 year before the date of the request
Your business must also correct errors or omissions in the personal data that is in its possession upon request unless it is reasonable to not make the correction.
- Accuracy Obligation: your business must make a reasonable effort to ensure that the personal data collected by the business is accurate and complete if the personal data is likely to be:
- Used by your business to make a decision that affects the individual to whom the personal data relates; or
- Disclosed by your business to another organization
- Protection Obligation: your business must put in place reasonable security measures to protect the personal data in its possession or control. This is to prevent risks such as the unauthorized access, collection, use and/or disclosure of such data.
- Retention Limitation Obligation: your business should retain the personal data for only as long as it is necessary for business or legal purposes.
- Transfer Limitation Obligation: if your business is transferring the personal data overseas, such as storing the data in the cloud, ensure that the transfer meets the PDPA’s data protection requirements. This is to ensure that the data being transferred is offered a comparable level of data protection as is provided by the PDPA.
- Openness Obligation: your business must implement the necessary policies and procedures to fulfill its PDPA obligations. It must make information about such policies and procedures publicly available.
PDPA Obligations Applied in Practice
To what extent can your business collect individuals’ personal data?
Pursuant to the Purpose Limitation Obligation (see above), your business may collect, use or disclose personal data about an individual:
- Only for purposes that a reasonable person would consider appropriate in the circumstances; and
- Your business has informed the individual of these purposes (where applicable under the Notification Obligation (see above)).
To prevent thefts and leaks of personal data, and monetary penalties, as a result, it is important to have a clear understanding of the business’ PDPA obligations.