Singapore PDPA

What is PDPA?

Enacted in Singapore in 2013, the Personal Data Protection Act (PDPA) regulates how personal data can be collected and processed by companies who deal with the personal data of individuals in Singapore.  

The PDPA is comprised of rules that regulate the collection, use, disclosure and storage of personal data. It seeks to protect the rights of both individuals to protect their right and the needs of companies to collect personal data for legitimate purposes. 

It establishes the Do Not Call (DNC) registry and identifies what personal data is protected, who must follow the PDPA, and who is protected under the PDPA.  

Similar to the GDPR, the PDPA has a territorial reach beyond just those companies or organizations within the country. It’s extended to those who may not have a physical presence in Singapore, but who still handle personal data of users in Singapore. 

What is personal data?

Under PDPA, the definition of personal data is “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.” 

While personal data across many global regulations differ, the premise remains the same. Any data that a company collects on a consumer that can in any way identify the user is protected under the PDPA. Even if the data is untrue, it is the responsibility of the company to adhere to the regulations put in place for their region.

The personal data can be stored in electronic or non-electronic forms and still need to comply with the regulation.

What does the PDPA apply to?

The PDPA applies to specific kinds of personal data processing. Unlike the GDPR, personal data collected under PDPA need only be remotely relevant to the originally stated purpose. Because of this, the scope is much wider than those seen in the GDPR and CCPA. Like the GDPR, the PDPA has extraterritorial reach for businesses even outside of Singapore if they handle the data of users within Singapore.

The processing of personal data within the public sector or any company that is acting as an agent of a public agency in processing personal data. Business contact information also is not included in the data protected within the PDPA.

How to comply with PDPA

At a high level, there are specific steps that organizations should take to be compliant. 

1. Only collect data for purposes to which a user as consented. 
2. Only use or disclose the personal data about an individual for which they have consented. 
3. Notify the individuals the purpose behind the collection, use or disclosure of the data on or before the point of collection.  
4. Provide the individual with information about the ways their personal data has been used or disclosed within a year before a request was made. The organization cannot provide an individual with access to personal data if it could: cause immediate harm, threaten the safety, physical or mental health of another individual, reveal personal data about another individual that has not consented.  
5. Make reasonable effort to ensure that the personal data is accurate. 
6. Ensure that the personal data is protected by taking security measures to prevent unauthorized access, collection, use, disclosure or similar risks. 
7. Discontinue the storage of personal data and remove the ability for the personal data to be associated with an individual when it no longer serves the legal purpose for which it was gathered. 
8. Only transfer personal data across borders to other countries according to the requirements of the regulation. 
9. Make data protection policies, complaints process, and security practices available when a user requests them. 

Section 14(1) of the PDPA outlines how an individual gives consent. “An individual has not given consent unless the individual has been notified of the purposes for which his personal data will be collected, used or disclosed and the individual has provided his consent for those purposes.” 

Organizations must obtain consent from a visitor before or at the point of collection of the data unless an exception applies. The consent can be either freely given or deemed to have been given. If the personal data is voluntarily given, the personal data collection is considered to have been consented to. 

Consent can be obtained verbally or written but it also must be recorded in case the organization is required to prove that it had obtained consent.  

Infringements of the PDPA can include fines of RM500,000 and can even lead up to imprisonment.